private rule RSharedStrings : Surtr Family { meta: description = "identifiers for remote and gmremote" author = "Katie Kleemola" last_updated = "07-21-2014" strings: $ = "nView_DiskLoydb" wide $ = "nView_KeyLoydb" wide $ = "nView_skins" wide $ = "UsbLoydb" wide $ = "%sBurn%s" wide $ = "soul" wide condition: any of them } private rule RemoteStrings : Remote Variant Surtr Family { meta: description = "indicators for remote.dll - surtr stage 2" author = "Katie Kleemola" last_updated = "07-21-2014" strings: $ = "\x00Remote.dll\x00" $ = "\x00CGm_PlugBase::" $ = "\x00ServiceMain\x00_K_H_K_UH\x00" $ = "\x00_Remote_\x00" wide condition: any of them } private rule GmRemoteStrings : GmRemote Variant Family Surtr { meta: description = "identifiers for gmremote: surtr stage 2" author = "Katie Kleemola" last_updated = "07-21-2014" strings: $ = "\x00x86_GmRemote.dll\x00" $ = "\x00D:\\Project\\GTProject\\Public\\List\\ListManager.cpp\x00" $ = "\x00GmShutPoint\x00" $ = "\x00GmRecvPoint\x00" $ = "\x00GmInitPoint\x00" $ = "\x00GmVerPoint\x00" $ = "\x00GmNumPoint\x00" $ = "_Gt_Remote_" wide $ = "%sBurn\\workdll.tmp" wide condition: any of them } /* * Check if File has shared identifiers among Surtr Stage 2's * Then look for unique identifiers to each variant */ rule GmRemote : Family Surtr Variant GmRemote { meta: description = "identifier for gmremote" author = "Katie Kleemola" last_updated = "07-25-2014" condition: RSharedStrings and GmRemoteStrings } rule Remote : Family Surtr Variant Remote { meta: description = "identifier for remote" author = "Katie Kleemola" last_updated = "07-25-2014" condition: RSharedStrings and RemoteStrings }