64 lines
No EOL
1.9 KiB
Text
64 lines
No EOL
1.9 KiB
Text
private rule QuarianCode : Quarian Family
|
|
{
|
|
meta:
|
|
description = "Quarian code features"
|
|
author = "Seth Hardy"
|
|
last_modified = "2014-07-09"
|
|
|
|
strings:
|
|
// decrypt in intelnat.sys
|
|
$ = { C1 E? 04 8B ?? F? C1 E? 05 33 C? }
|
|
// decrypt in mswsocket.dll
|
|
$ = { C1 EF 05 C1 E3 04 33 FB }
|
|
$ = { 33 D8 81 EE 47 86 C8 61 }
|
|
// loop in msupdate.dll
|
|
$ = { FF 45 E8 81 45 EC CC 00 00 00 E9 95 FE FF FF }
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
private rule QuarianStrings : Quarian Family
|
|
{
|
|
meta:
|
|
description = "Quarian Identifying Strings"
|
|
author = "Seth Hardy"
|
|
last_modified = "2014-07-09"
|
|
|
|
strings:
|
|
$ = "s061779s061750"
|
|
$ = "[OnUpLoadFile]"
|
|
$ = "[OnDownLoadFile]"
|
|
$ = "[FileTransfer]"
|
|
$ = "---- Not connect the Manager, so start UnInstall ----"
|
|
$ = "------- Enter CompressDownLoadDir ---------"
|
|
$ = "------- Enter DownLoadDirectory ---------"
|
|
$ = "[HandleAdditionalData]"
|
|
$ = "[mswsocket.dll]"
|
|
$ = "msupdate.dll........Enter ThreadCmd!"
|
|
$ = "ok1-1"
|
|
$ = "msupdate_tmp.dll"
|
|
$ = "replace Rpcss.dll successfully!"
|
|
$ = "f:\\loadhiddendriver-mdl\\objfre_win7_x86\\i386\\intelnat.pdb"
|
|
$ = "\\drivercashe\\" wide ascii
|
|
$ = "\\microsoft\\windwos\\" wide ascii
|
|
$ = "\\DosDevices\\LOADHIDDENDRIVER" wide ascii
|
|
$ = "\\Device\\LOADHIDDENDRIVER" wide ascii
|
|
$ = "Global\\state_maping" wide ascii
|
|
$ = "E:\\Code\\2.0\\2.0_multi-port\\2.0\\ServerInstall_New-2010-0913_sp3\\msupdataDll\\Release\\msupdate_tmp.pdb"
|
|
$ = "Global\\unInstall_event_1554_Ower" wide ascii
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule Quarian : Family
|
|
{
|
|
meta:
|
|
description = "Quarian"
|
|
author = "Seth Hardy"
|
|
last_modified = "2014-07-09"
|
|
|
|
condition:
|
|
QuarianCode or QuarianStrings
|
|
} |