63 lines
1.8 KiB
Text
63 lines
1.8 KiB
Text
|
rule GravityRAT_G1_PDB
|
||
|
{
|
||
|
meta:
|
||
|
author = "Michael Worth"
|
||
|
reference = "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
|
||
|
description = "PDB path for Gravity RAT G1"
|
||
|
|
||
|
strings:
|
||
|
$PDB1 = "f:\\F\\Windows Work\\G1\\Adeel's Laptop\\G1 Main Virus\\systemInterrupts\\gravity\\obj\\x86\\Debug\\systemInterrupts.pdb"
|
||
|
$PDB2 = "f:\\F\\Windows Work\\G1\\Adeel's Laptop\\"
|
||
|
$PDB3 = "\\gravity\\obj\\x86\\Debug\\"
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
rule GravityRAT_G2_PDB
|
||
|
{
|
||
|
meta:
|
||
|
author = "Michael Worth"
|
||
|
reference = "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
|
||
|
description = "PDB path for Gravity RAT G2"
|
||
|
|
||
|
strings:
|
||
|
$PDB1 = "e:\\Windows Work\\G2\\G2 Main Virus\\Microsoft Virus Solutions (G2 v5) (Current)\\Microsoft Virus Solutions\\obj\\Debug\\Windows Wireless 802.11.pdb"
|
||
|
$PDB2 = "e:\\Windows Work\\G2\\"
|
||
|
$PDB3 = "\\G2\\G2 Main Virus\\Microsoft Virus Solutions (G2"
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
rule GravityRAT_G3_PDB
|
||
|
{
|
||
|
meta:
|
||
|
author = "Michael Worth"
|
||
|
reference = "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
|
||
|
description = "PDB path for Gravity RAT G3"
|
||
|
|
||
|
strings:
|
||
|
$PDB1 = "F:\\Projects\\g3\\G3 Version 4.0\\G3\\G3\\obj\\Release\\Intel Core.pdb"
|
||
|
$PDB2 = "F:\\Projects\\g3\\G3 Version "
|
||
|
$PDB3 = "\\G3\\G3\\obj\\Release\\"
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
rule GravityRAT_GX_PDB
|
||
|
{
|
||
|
meta:
|
||
|
author = "Michael Worth"
|
||
|
reference = "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
|
||
|
description = "PDB path for Gravity RAT GX"
|
||
|
|
||
|
strings:
|
||
|
$PDB1 = "C:\\Users\\The Invincible\\Desktop\\gx\\gx-current-program\\LSASS\\obj\\Release\\LSASS.pdb"
|
||
|
$PDB2 = "C:\\Users\\The Invincible\\D"
|
||
|
$PDB3 = "Desktop\\gx\\gx-"
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
|
||
|
|