private rule MongalCode : Mongal Family { meta: description = "Mongal code features" author = "Seth Hardy" last_modified = "2014-07-15" strings: // gettickcount value checking $ = { 8B C8 B8 D3 4D 62 10 F7 E1 C1 EA 06 2B D6 83 FA 05 76 EB } condition: any of them } private rule MongalStrings : Mongal Family { meta: description = "Mongal Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-15" strings: $ = "NSCortr.dll" $ = "NSCortr1.dll" $ = "Sina.exe" condition: any of them } rule Mongal : Family { meta: description = "Mongal" author = "Seth Hardy" last_modified = "2014-07-15" condition: MongalCode or MongalStrings }