52 lines
2.6 KiB
Text
52 lines
2.6 KiB
Text
|
rule Ponmocup : plugins
|
||
|
{
|
||
|
meta:
|
||
|
description = "Ponmocup plugin detection (memory)"
|
||
|
author = "Danny Heppener, Fox-IT"
|
||
|
strings:
|
||
|
$1100 = {4D 5A 90 [29] 4C 04}
|
||
|
$1201 = {4D 5A 90 [29] B1 04}
|
||
|
$1300 = {4D 5A 90 [29] 14 05}
|
||
|
$1350 = {4D 5A 90 [29] 46 05}
|
||
|
$1400 = {4D 5A 90 [29] 78 05}
|
||
|
$1402 = {4D 5A 90 [29] 7A 05}
|
||
|
$1403 = {4D 5A 90 [29] 7B 05}
|
||
|
$1404 = {4D 5A 90 [29] 7C 05}
|
||
|
$1405 = {4D 5A 90 [29] 7D 05}
|
||
|
$1406 = {4D 5A 90 [29] 7E 05}
|
||
|
$1500 = {4D 5A 90 [29] DC 05}
|
||
|
$1501 = {4D 5A 90 [29] DD 05}
|
||
|
$1502 = {4D 5A 90 [29] DE 05}
|
||
|
$1505 = {4D 5A 90 [29] E1 05}
|
||
|
$1506 = {4D 5A 90 [29] E2 05}
|
||
|
$1507 = {4D 5A 90 [29] E3 05}
|
||
|
$1508 = {4D 5A 90 [29] E4 05}
|
||
|
$1509 = {4D 5A 90 [29] E5 05}
|
||
|
$1510 = {4D 5A 90 [29] E6 05}
|
||
|
$1511 = {4D 5A 90 [29] E7 05}
|
||
|
$1512 = {4D 5A 90 [29] E8 05}
|
||
|
$1600 = {4D 5A 90 [29] 40 06}
|
||
|
$1601 = {4D 5A 90 [29] 41 06}
|
||
|
$1700 = {4D 5A 90 [29] A4 06}
|
||
|
$1800 = {4D 5A 90 [29] 08 07}
|
||
|
$1801 = {4D 5A 90 [29] 09 07}
|
||
|
$1802 = {4D 5A 90 [29] 0A 07}
|
||
|
$1803 = {4D 5A 90 [29] 0B 07}
|
||
|
$2001 = {4D 5A 90 [29] D1 07}
|
||
|
$2002 = {4D 5A 90 [29] D2 07}
|
||
|
$2003 = {4D 5A 90 [29] D3 07}
|
||
|
$2004 = {4D 5A 90 [29] D4 07}
|
||
|
$2500 = {4D 5A 90 [29] C4 09}
|
||
|
$2501 = {4D 5A 90 [29] C5 09}
|
||
|
$2550 = {4D 5A 90 [29] F6 09}
|
||
|
$2600 = {4D 5A 90 [29] 28 0A}
|
||
|
$2610 = {4D 5A 90 [29] 32 0A}
|
||
|
$2700 = {4D 5A 90 [29] 8C 0A}
|
||
|
$2701 = {4D 5A 90 [29] 8D 0A}
|
||
|
$2750 = {4D 5A 90 [29] BE 0A}
|
||
|
$2760 = {4D 5A 90 [29] C8 0A}
|
||
|
$2810 = {4D 5A 90 [29] FA 0A}
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|