private rule SurtrCode : Surtr Family { meta: author = "Katie Kleemola" description = "Code features for Surtr Stage1" last_updated = "2014-07-16" strings: //decrypt config $ = { 8A ?? ?? 84 ?? ?? 74 ?? 3C 01 74 ?? 34 01 88 41 3B ?? 72 ?? } //if Burn folder name is not in strings $ = { C6 [3] 42 C6 [3] 75 C6 [3] 72 C6 [3] 6E C6 [3] 5C } //mov char in _Fire $ = { C6 [3] 5F C6 [3] 46 C6 [3] 69 C6 [3] 72 C6 [3] 65 C6 [3] 2E C6 [3] 64 } condition: any of them } private rule SurtrStrings : Surtr Family { meta: author = "Katie Kleemola" description = "Strings for Surtr" last_updated = "2014-07-16" strings: $ = "\x00soul\x00" $ = "\x00InstallDll.dll\x00" $ = "\x00_One.dll\x00" $ = "_Fra.dll" $ = "CrtRunTime.log" $ = "Prod.t" $ = "Proe.t" $ = "Burn\\" $ = "LiveUpdata_Mem\\" condition: any of them } rule Surtr : Family { meta: author = "Katie Kleemola" description = "Rule for Surtr Stage One" last_updated = "2014-07-16" condition: SurtrStrings or SurtrCode }