20 lines
No EOL
688 B
Text
20 lines
No EOL
688 B
Text
rule backdoor_apt_pcclient
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
maltype = "APT.PCCLient"
|
|
filetype = "DLL"
|
|
version = "0.1"
|
|
description = "Detects the dropper: 869fa4dfdbabfabe87d334f85ddda234 AKA dw20.dll/msacm32.drv dropped by 4a85af37de44daf5917f545c6fd03902 (RTF)"
|
|
date = "2012-10"
|
|
strings:
|
|
$magic = { 4d 5a } // MZ
|
|
$string1 = "www.micro1.zyns.com"
|
|
$string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
|
|
$string3 = "msacm32.drv" wide
|
|
$string4 = "C:\\Windows\\Explorer.exe" wide
|
|
$string5 = "Elevation:Administrator!" wide
|
|
$string6 = "C:\\Users\\cmd\\Desktop\\msacm32\\Release\\msacm32.pdb"
|
|
condition:
|
|
$magic at 0 and 4 of ($string*)
|
|
} |