Sneed-Reactivity/yara-mikesxrs/iocbucket/apt_ngo_wuaclt.yar

20 lines
603 B
Text
Raw Normal View History

rule APT_NGO_wuaclt
{
meta:
author = "@iocbucket"
description = "Yara rule for the PDF delivery vehicle and Communications based on APT 1"
strings:
$a = "%%APPDATA%%\\Microsoft\\wuauclt\\wuauclt.dat"
$b = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
$c = "/news/show.asp?id%d=%d"
$d = "%%APPDATA%%\\Microsoft\\wuauclt\\"
$e = "0l23kj@nboxu"
$f = "%%s.asp?id=%%d&Sid=%%d"
$g = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SP Q%%d)"
$h = "Cookies: UseID=KGIOODAOOK%%s"
condition:
($a and $b and $c) or ($d and $e) or ($f and $g and $h)
}