rule UniformJuliett { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "Cmd03000_1a6f62e1630d512c3b67bfdbff26270177585c82802ffa834b768ff47be0a008.bin" strings: /* 56 push esi ; hSCObject FF D5 call ebp ; CloseServiceHandle 68 B8 0B 00 00 push 0BB8h ; dwMilliseconds FF 15 38 70 40 00 call ds:Sleep 6A 00 push 0 ; fCreateHighestLevel 68 60 A9 40 00 push offset PathName ; lpPathName E8 43 FE FF FF call RecursivelyCreateDirectories 83 C4 08 add esp, 8 68 60 A9 40 00 push offset PathName ; lpFileName FF 15 3C 70 40 00 call ds:DeleteFileA */ $a = { 56 FF D5 68 B8 0B 00 00 FF 15 [4] 6A 00 68 [4] E8 [4] 83 C4 08 68 [4] FF 15 } $ = "wauserv.dll" $ = "Rpcss" condition: all of them }