23 lines
966 B
Text
23 lines
966 B
Text
rule Windows_Trojan_Deimos_DLL {
|
|
meta:
|
|
author = "Elastic Security"
|
|
creation_date = "2021-09-18"
|
|
last_modified = "2021-09-18"
|
|
os = "Windows"
|
|
arch = "x86"
|
|
category_type = "Trojan"
|
|
family = "Deimos"
|
|
threat_name = "Windows.Trojan.Deimos"
|
|
description = "Detects the presence of the Deimos trojan DLL file."
|
|
reference = "https://www.elastic.co/security-labs/going-coast-to-coast-climbing-the-pyramid-with-the-deimos-implant"
|
|
reference_sample = "2c1941847f660a99bbc6de16b00e563f70d900f9dbc40c6734871993961d3d3e"
|
|
|
|
strings:
|
|
$a1 = "\\APPDATA\\ROAMING" wide fullword
|
|
$a2 = "{\"action\":\"ping\",\"" wide fullword
|
|
$a3 = "Deimos" ascii fullword
|
|
$b1 = { 00 57 00 58 00 59 00 5A 00 5F 00 00 17 75 00 73 00 65 00 72 00 }
|
|
$b2 = { 0C 08 16 1F 68 9D 08 17 1F 77 9D 08 18 1F 69 9D 08 19 1F 64 9D }
|
|
condition:
|
|
all of ($a*) or 1 of ($b*)
|
|
}
|