39 lines
1.2 KiB
Text
39 lines
1.2 KiB
Text
import "pe"
|
|
|
|
rule bit9_ms15_093_plugx_dll_payload : TLPWHITE
|
|
{
|
|
meta:
|
|
author = "rnolen@bit9.com"
|
|
date = "8.26.2015"
|
|
description = "Find a specific plugx variant DLL payload"
|
|
hash1 = "20d88b0fa34d3d79629cb602f08a1145008a75215fe2c91a3b3171287adc4c3d"
|
|
strings:
|
|
$datfile = "nvdisps_user.dat"
|
|
$dllfile = "nvdisps.dll"
|
|
$mutex = "nvdisps_event"
|
|
condition:
|
|
3 of ($datfile,$dllfile,$mutex) and pe.exports("ShadowPlay")
|
|
}
|
|
|
|
|
|
rule bit9_ms15_093_plugx_dropper : TLPWHITE
|
|
{
|
|
meta:
|
|
author = "rnolen@bit9.com"
|
|
date = "8.26.2015"
|
|
description = "Find a specific plugx variant dropper"
|
|
hash1 = "61900fb9841a4d6d14e990163ea575694e684beaf912f50989b0013a9634196f"
|
|
hash2 = "71b201a5a7dfdbe91c0a7783f845b71d066c62014b944f488de5aec6272f907c"
|
|
hash3 = "56ec1ccab98c1ed67a0095b7ec8e6b17b12da3e00d357274fa37ec63ec724c07"
|
|
hash4 = "c437465db42268332543fbf6fd6a560ca010f19e0fd56562fb83fb704824b371"
|
|
strings:
|
|
$datfile = "nvdisps_user.dat"
|
|
$dllfile = "nvdisps.dll"
|
|
$rundll32 = "Rundll32.exe"
|
|
$winhlp32 = "\\winhlp32.exe"
|
|
$shellout = "ShadowPlay 84"
|
|
condition:
|
|
5 of ($datfile,$dllfile,$rundll32,$winhlp32,$shellout)
|
|
}
|
|
|
|
|