24 lines
793 B
Text
24 lines
793 B
Text
|
rule N3utrino
|
||
|
{
|
||
|
meta:
|
||
|
Author = "Nick Hoffman"
|
||
|
Description = "Detects versions of Neutrino malware"
|
||
|
ref = "http://www.morphick.com/resources/lab-blog/evening-n3utrino"
|
||
|
|
||
|
strings:
|
||
|
$post_host_information = "getcmd=1&uid=%s&os=%s&av=%s&nat=%s&version=%s&serial=%s&quality=%i"
|
||
|
$post_cc_information = "dumpgrab=1&track_type=%s&track_data=%s&process_name=%s"
|
||
|
$post_taskexec = "taskexec=1&task_id=%s"
|
||
|
$post_taskfail = "taskfail=1&task_id=%s"
|
||
|
|
||
|
$command1 = "loader"
|
||
|
$command2 = "findfile"
|
||
|
$command3 = "spread"
|
||
|
$command4 = "archive"
|
||
|
$command5 = "usb"
|
||
|
$command6 = "botkiller"
|
||
|
$command7 = "dwflood"
|
||
|
$command8 = "keylogger"
|
||
|
condition:
|
||
|
4 of ($command*) or any of ($post*)
|
||
|
}
|