39 lines
1.5 KiB
Text
39 lines
1.5 KiB
Text
rule PNGRat_C2_Decode
|
|
/*
|
|
.text:180002CCE 8A 43 01 mov al, [rbx+1]
|
|
.text:180002CD1 B1 71 mov cl, 71h
|
|
.text:180002CD3 48 8D 54 24 30 lea rdx, [rsp+148h+Src] ; Src
|
|
.text:180002CD8 C0 E0 04 shl al, 4 ; Shift Logical Left
|
|
.text:180002CDB 41 B8 04 00 00 00 mov r8d, 4; Size
|
|
.text:180002CE1 02 03 add al, [rbx] ; Add
|
|
.text:180002CE3 2A C1 sub al, cl; Integer Subtraction
|
|
*/
|
|
{
|
|
meta:
|
|
Author = "BB RSAIR"
|
|
Date = "15Jan2015"
|
|
reference = "https://community.rsa.com/docs/DOC-30015"
|
|
strings:
|
|
$decode = {8A 43 [0-1] B1 71 48 [0-4] C0 E0 04 41 B8 04 [0-3] 02 03 2A C1 }
|
|
|
|
condition:
|
|
$decode and uint16( 0) == 0x5A4D
|
|
}
|
|
|
|
rule PngRatV2
|
|
{
|
|
meta:
|
|
Author = "EMH RSAIR"
|
|
Date = "14Dec2014"
|
|
reference = "https://community.rsa.com/docs/DOC-30015"
|
|
strings:
|
|
$mz = { 4D 5A }
|
|
$reg_pw = "abe2869f-9b47-4cd9-a358-c22904dba7f7"
|
|
$stego_c2 = "http://social.technet.microsoft.com/Forums/" nocase
|
|
$ip_string = "%u.%u.%u.%u"
|
|
$microsoft = {C6 44 24 30 40 C6 44 24 31 4D C6 44 24 32 49 C6 44 24 33 43 C6 44 24 34 52 C6 44 24 35 30 C6 44 24 36 53 C6 44 24 37 30 C6 44 24 38 46 C6 44 24 39 54 C6 44 24}
|
|
$corporation = {C6 44 24 30 43 48 8B CB C6 44 24 31 30 C6 44 24 32 52 C6 44 24 33 50 C6 44 24 34 30 C6 44 24 35 52 C6 44 24 36 41 C6 44 24 37 54 C6 44 24 38 49 C6 44 24 39 30 C6 44 24 3A 4E C6 44 24 3B 00}
|
|
|
|
condition:
|
|
all of them or ($mz and $reg_pw and $ip_string and $microsoft and $corporation)
|
|
}
|