64 lines
1.8 KiB
Text
64 lines
1.8 KiB
Text
|
|
rule granite_coroner_dropper {
|
|
meta:
|
|
description = "Payload dropper for password theft or keylogging"
|
|
|
|
strings:
|
|
$mz = "MZ"
|
|
|
|
// 5222D4EE744464B154505E68579EB896 - Resource names
|
|
$granitea = "GRANITE" nocase
|
|
$granitew = "GRANITE" nocase wide
|
|
$jocastaeluviuma = "JOCASTAELUVIUM" nocase
|
|
$jocastaeluviumw = "JOCASTAELUVIUM" nocase wide
|
|
|
|
// FA620D788F4E9B22B603276EB020AA8C - Resource names
|
|
$coronera = "CORONER" nocase
|
|
$coronerw = "CORONER" nocase wide
|
|
$bolshiecharitya = "BOLSHIECHARITY" nocase
|
|
$bolshiecharityw = "BOLSHIECHARITY" nocase wide
|
|
|
|
// Both
|
|
$cypher_cryptor = "Cypher Cryptor" wide
|
|
|
|
condition:
|
|
$mz at 0 and
|
|
($granitea and $jocastaeluviuma) or
|
|
($granitew and $jocastaeluviumw) or
|
|
($coronera and $bolshiecharitya) or
|
|
($coronerw and $bolshiecharityw) or
|
|
$cypher_cryptor
|
|
}
|
|
|
|
rule granite_jocasteluvium {
|
|
strings:
|
|
$mz = "MZ"
|
|
|
|
// 8B805E07CCA42BE8FC98C8BCF8D0C7C2
|
|
$string1 = "JumpID(\"\",\"%s\")"
|
|
$string2 = " - Clipboard - "
|
|
$string3 = "Content-Type: application/x-www-form-urlencoded"
|
|
$string4 = "text="
|
|
$string5 = "[Num Lock]"
|
|
$string6 = "[PrtScr]"
|
|
$string7 = "msgss.exe"
|
|
$string8 = "User Interface Manager" wide
|
|
|
|
condition:
|
|
$mz at 0 and 7 of ($string*)
|
|
}
|
|
|
|
|
|
rule coroner_bolshiecharity {
|
|
meta:
|
|
description = "Password extraction utility"
|
|
|
|
strings:
|
|
$mz = "MZ"
|
|
// list of default passwords in 907B3FD96072ADCD08BB6ACA4BD07FC1 @ 0x4146b1
|
|
$passwords = "chelsea\x0055555\x00angel1\x00hardcore\x00dexter\x00saved\x00112233\x00hallo\x00"
|
|
|
|
condition:
|
|
$mz at 0 and $passwords
|
|
}
|
|
|