Sneed-Reactivity/yara-mikesxrs/ballastsecurity/madnesspro.yar

32 lines
1.5 KiB
Text
Raw Normal View History

rule madnesspro_strings
{
meta:
author = "Brian Wallace @botnet_hunter"
author_email = "bwall@ballastsecurity.net"
date = "2014-03-13"
description = "Identify Madness Pro"
strings:
$c = "YXBvS0FMaXBsaXM9"
$str5 = "d3Rm" fullword
$str6 = "ZXhl" fullword
$string0 = "Referer: "
$string1 = "regini "
$string2 = "GetAtomNameA (atom, s, sizeof(s)) "
$string3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion"
$string4 = "dmVyPQ"
$string5 = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cRXhwbG9yZXJcU2hlbGwgRm9sZGVycw"
$string6 = "U1lTVEVNXENvbnRyb2xTZXQwMDJcc2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRh"
$string7 = "Oio6RW5hYmxlZDo"
$string8 = "TW96aWxsYS80LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyBubDsgcnY6MS45LjIuMykgR2Vja28vMjAxMDA0MDEgRmly"
$string9 = "Q2hlY2tUb2tlbk1lbWJlcnNoaXA"
$string10 = "R0g1Sy1HS0w4LUNQUDQtREUyNA"
$string11 = "cookie"
$string12 = "U1lTVEVNXENvbnRyb2xTZXQwMDNcc2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRh"
$string13 = "Content-Type: application/x-www-form-urlencoded"
$string14 = "Internet Explorer"
$string15 = "U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFNoYXJlZEFjY2Vzc1xQYXJhbWV0ZXJzXEZpcmV3YWxsUG9saWN5XFN0"
$string16 = "U1lTVEVNXENvbnRyb2xTZXQwMDFcc2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRh"
condition:
all of them
}