32 lines
1.7 KiB
Text
32 lines
1.7 KiB
Text
rule Lazarus_2020
|
|
{
|
|
meta:
|
|
copyright = "Intezer Labs"
|
|
author = "Intezer Labs"
|
|
reference = "https://analyze.intezer.com"
|
|
date = "2020-06-11"
|
|
strings:
|
|
$s1 = "Can't create file %s, errno = %d, nCreateRetryCount = %d" fullword wide ascii
|
|
$s2 = "ExploreDirectory, csDirectoryPath = %s, dwError=%d" fullword wide ascii
|
|
$s3 = "CreateProcess %s failure, errno = %d" fullword wide ascii
|
|
$s4 = "Can't create file %s, errno = %d, nCreateRetryCount = %d" fullword wide ascii
|
|
$s5 = "Can't create file %s, errno = %d" fullword wide ascii
|
|
$s6 = "Can't open user32.dll, %d" fullword wide ascii
|
|
$s7 = "Unable to GetProcAddress of GetProcAddress" fullword wide ascii
|
|
$s8 = "Can't find address of function Id = %d, %s" fullword wide ascii
|
|
$s9 = "Unable to GetProcAddress of VirtualProtect" fullword wide ascii
|
|
$s10 = "Unable to GetProcAddress of GetTickCount64" fullword wide ascii
|
|
$s11 = "Unable to GetProcAddress of GetTickCount" fullword wide ascii
|
|
$s12 = "Unable to GetProcAddress of FreeLibrary" fullword wide ascii
|
|
$s13 = "Receive disconnect command from trojan" fullword wide ascii
|
|
$s14 = "Receive Uninstall command from Trojan" fullword wide ascii
|
|
$s15 = "Receive Update command from trojan" fullword wide ascii
|
|
$l1 = "For more information visit <http://pcre.org/>. Alternative build from <https://github.com/kiyolee/pcre-win-build/>." fullword wide ascii
|
|
$l2 = "\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\OneNote.lnk" fullword wide ascii
|
|
$l3 = "C:\\Windows\\System32\\rundll32.exe \"%s\", CtrlPanel %s 0 0 %s 1" fullword wide ascii
|
|
$l4 = "H@@__SWPJEIVJxJzObRdTd]eH~FqClew~;x&a,k-x6y6!7!5$-91>N6L\"P-\\)2V*L8D'[3S0N-M/K]K_NGS=T>\\8H G" fullword wide ascii
|
|
|
|
condition:
|
|
7 of ($s*) or all of ($l*)
|
|
|
|
}
|