46 lines
No EOL
1.1 KiB
Text
46 lines
No EOL
1.1 KiB
Text
rule AlienSpy
|
|
{
|
|
meta:
|
|
author = "Kevin Breen"
|
|
ref = "http://malwareconfig.com/stats/AlienSpy"
|
|
maltype = "Remote Access Trojan"
|
|
filetype = "jar"
|
|
|
|
strings:
|
|
$PK = "PK"
|
|
$MF = "META-INF/MANIFEST.MF"
|
|
|
|
$a1 = "a.txt"
|
|
$a2 = "b.txt"
|
|
$a3 = "Main.class"
|
|
|
|
$b1 = "ID"
|
|
$b2 = "Main.class"
|
|
$b3 = "plugins/Server.class"
|
|
|
|
$c1 = "resource/password.txt"
|
|
$c2 = "resource/server.dll"
|
|
|
|
$d1 = "java/stubcito.opp"
|
|
$d2 = "java/textito.isn"
|
|
|
|
$e1 = "java/textito.text"
|
|
$e2 = "java/resources.xsx"
|
|
|
|
$f1 = "amarillo/asdasd.asd"
|
|
$f2 = "amarillo/adqwdqwd.asdwf"
|
|
|
|
$g1 = "config/config.perl"
|
|
$g2 = "main/Start.class"
|
|
|
|
$o1 = "config/config.ini"
|
|
$o2 = "windows/windows.ini"
|
|
$o3 = "components/linux.plsk"
|
|
$o4 = "components/manifest.ini"
|
|
$o5 = "components/mac.hwid"
|
|
|
|
|
|
condition:
|
|
$PK at 0 and $MF and
|
|
(all of ($a*) or all of ($b*) or all of ($c*) or all of ($d*) or all of ($e*) or all of ($f*) or all of ($g*) or any of ($o*))
|
|
} |