private rule APT9002Code : APT9002 Family { meta: description = "9002 code features" author = "Seth Hardy" last_modified = "2014-06-25" strings: // start code block $ = { B9 7A 21 00 00 BE ?? ?? ?? ?? 8B F8 ?? ?? ?? F3 A5 } // decryption from other variant with multiple start threads $ = { 8A 14 3E 8A 1C 01 32 DA 88 1C 01 8B 54 3E 04 40 3B C2 72 EC } condition: any of them } private rule APT9002Strings : APT9002 Family { meta: description = "9002 Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-25" strings: $ = "POST http://%ls:%d/%x HTTP/1.1" $ = "%%TEMP%%\\%s_p.ax" wide ascii $ = "%TEMP%\\uid.ax" wide ascii $ = "%%TEMP%%\\%s.ax" wide ascii // also triggers on surtr $ = "mydll.dll\x00DoWork" $ = "sysinfo\x00sysbin01" $ = "\\FlashUpdate.exe" condition: any of them } rule APT9002 : Family { meta: description = "9002" author = "Seth Hardy" last_modified = "2014-06-25" condition: APT9002Code or APT9002Strings }