rule PoS_Malware_NewPOSThings2015 : newposthings2015
{
meta:
author = “Trend Micro, Inc.”
date = “2015-03-10”
description = “Used to detect NewPoSThings RAM scraper, including 2015 sample set”
strings:
$pdb1 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\NewPosThings\\Release\\NewPosThings.pdb” nocase
$pdb2 = “C:\\Final32\\Release\\Final.pdb” nocase
$pdb3 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\Release\\jsd_12.2.pdb” nocase
$pdb4 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\x64\\Release\\jsd_12.2.pdb” nocase
$string0 = “Software\\Microsoft\\Windows\\CurrentVersion\\Run” wide
$string1 = “Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)” wide
$string2 = “Content-Type: application/x-www-form-urlencoded” wide
$string3 = “Use 64bit version.” wide
$string4 = “SeDebugPrivilege” wide
$string5 = “Java Update Manager” wide
$string6 = “Java\\Javaj.exe” wide
$string7 = “lsass.exe” wide
$string8 = “aW5zZXJ0”
condition:
(any of ($pdb*)) or (all of ($str*))
}