45 lines
999 B
Text
45 lines
999 B
Text
|
private rule NaikonCode : Naikon Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Naikon code features"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-06-25"
|
||
|
|
||
|
strings:
|
||
|
// decryption
|
||
|
$ = { 0F AF C1 C1 E0 1F } // imul eax, ecx; shl eah, 1fh
|
||
|
$ = { 35 5A 01 00 00} // xor eax, 15ah
|
||
|
$ = { 81 C2 7F 14 06 00 } // add edx, 6147fh
|
||
|
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|
||
|
|
||
|
private rule NaikonStrings : Naikon Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Naikon Identifying Strings"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-06-25"
|
||
|
|
||
|
strings:
|
||
|
$ = "NOKIAN95/WEB"
|
||
|
$ = "/tag=info&id=15"
|
||
|
$ = "skg(3)=&3.2d_u1"
|
||
|
$ = "\\Temp\\iExplorer.exe"
|
||
|
$ = "\\Temp\\\"TSG\""
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
rule Naikon : Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Naikon"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-06-25"
|
||
|
|
||
|
condition:
|
||
|
NaikonCode or NaikonStrings
|
||
|
}
|