// Point of Sale (POS) Malware rule pos_memory_scrapper2 { meta: author = "@patrickrolsen" maltype = "Point of Sale (POS) Malware Memory Scraper" version = "0.2" description = "POS Memory Scraper" reference = "7f9cdc380eeed16eaab3e48d59f271aa http://www.xylibox.com/2013/05/dump-memory-grabber-blackpos.html" date = "01/03/2014" strings: $magic = { 4D 5A } // MZ Header $string1 = "kartoxa" nocase $string2 = "CC2 region:" $string3 = "CC memregion:" $string4 = "target pid:" $string5 = "scan all processes:" $string6 = " " $string7 = "KAPTOXA" nocase condition: ($magic at 0) and all of ($string*) } rule pos_malwre_dexter_stardust { meta: author = "@patrickrolsen" maltype = "Dexter Malware - StarDust Variant" version = "0.1" description = "Table 2 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf" reference = "16b596de4c0e4d2acdfdd6632c80c070, 2afaa709ef5260184cbda8b521b076e1, and e3dd1dc82ddcfaf410372ae7e6b2f658" date = "12/30/2013" strings: $magic = { 4D 5A } // MZ Header $string1 = "ceh_3\\.\\ceh_4\\..\\ceh_6" $string2 = "Yatoed3fe3rex23030am39497403" $string3 = "Poo7lo276670173quai16568unto1828Oleo9eds96006nosysump7hove19" $string4 = "CommonFile.exe" condition: ($magic at 0) and all of ($string*) } rule pos_malware_project_hook { meta: author = "@patrickrolsen" maltype = "Project Hook" version = "0.1" description = "Table 1 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf" reference = "759154d20849a25315c4970fe37eac59" date = "12/30/2013" strings: $magic = { 4D 5A } // MZ Header $string1 = "CallImage.exe" $string2 = "BurpSwim" $string3 = "Work\\Project\\Load" $string4 = "WortHisnal" condition: ($magic at 0) and all of ($string*) } rule pdb_strings_Rescator { meta: author = "@patrickrolsen" maltype = "N/A Threat Intel..." version = "0.2" description = "Rescator PDB strings within binaries" date = "01/03/2014" strings: $magic = { 4D 5A } // MZ Header $pdb1 = "\\Projects\\Rescator" nocase condition: ($magic at 0) and $pdb1 }