307 lines
5.3 KiB
Text
307 lines
5.3 KiB
Text
rule Hangover_ron_babylon
|
|
{
|
|
strings:
|
|
$a = "Content-Disposition: form-data; name=\"uploaddir\""
|
|
$b1 = "MBVDFRESCT"
|
|
$b2 = "EMSCBVDFRT"
|
|
$b3 = "EMSFRTCBVD"
|
|
$b4= "sendFile"
|
|
$b5 = "BUGMAAL"
|
|
$b6 = "sMAAL"
|
|
$b7 = "SIMPLE"
|
|
$b8 = "SPLIME"
|
|
$b9 = "getkey.php"
|
|
$b10 = "MBVDFRESCT"
|
|
$b11 = "DSMBVCTFRE"
|
|
$b12 = "MBESCVDFRT"
|
|
$b13 = "TCBFRVDEMS"
|
|
$b14 = "DEMOMAKE"
|
|
$b15 = "DEMO"
|
|
$b16 = "UPHTTP"
|
|
|
|
|
|
$c1 = "F39D45E70395ABFB8D8D2BFFC8BBD152"
|
|
$c2 = "90B452BFFF3F395ABDC878D8BEDBD152"
|
|
$c3 = "FFF3F395A90B452BB8BEDC878DDBD152"
|
|
$c4 = "5A9DCB8FFF3F02B8B45BE39D152"
|
|
$c5 = "5A902B8B45BEDCB8FFF3F39D152"
|
|
$c6 = "78DDB5A902BB8FFF3F398B45BEDCD152"
|
|
$c7 = "905ABEB452BFFFBDC878D83F39DBD152"
|
|
$c8 = "D2BFFC8BBD152F3B8D89D45E70395ABF"
|
|
$c9 = "8765F3F395A90B452BB8BEDC878"
|
|
$c10 = "90ABDC878D8BEDBB452BFFF3F395D152"
|
|
$c11 = "F12BDC94490B452AA8AEDC878DCBD187"
|
|
|
|
condition:
|
|
$a and (1 of ($b*) or 1 of ($c*))
|
|
|
|
}
|
|
|
|
rule Hangover_Fuddol {
|
|
strings:
|
|
$a = "\\Http downloader(fud)"
|
|
$b = "Fileexists"
|
|
condition:
|
|
all of them
|
|
|
|
}
|
|
|
|
rule Hangover_UpdateEx {
|
|
strings:
|
|
$a1 = "UpdateEx"
|
|
$a2 = "VBA6.DLL"
|
|
$a3 = "MainEx"
|
|
$a4 = "GetLogs"
|
|
$a5 = "ProMan"
|
|
$a6 = "RedMod"
|
|
|
|
condition:
|
|
all of them
|
|
|
|
}
|
|
|
|
rule Hangover_Tymtin_Degrab {
|
|
strings:
|
|
$a1 = "&dis=no&utp=op&mfol="
|
|
$a2 = "value1=1&value2=2"
|
|
|
|
condition:
|
|
all of them
|
|
|
|
}
|
|
|
|
|
|
rule Hangover_Smackdown_Downloader {
|
|
strings:
|
|
$a1 = "DownloadComplete"
|
|
$a2 = "DownloadProgress"
|
|
$a3 = "DownloadError"
|
|
$a4 = "UserControl"
|
|
$a5 = "MSVBVM60.DLL"
|
|
|
|
$b1 = "syslide"
|
|
$b2 = "frmMina"
|
|
$b3 = "Soundsman"
|
|
$b4 = "New_upl"
|
|
$b5 = "MCircle"
|
|
$b6 = "shells_DataArrival"
|
|
|
|
condition:
|
|
3 of ($a*) and 1 of ($b*)
|
|
|
|
}
|
|
|
|
|
|
rule Hangover_Vacrhan_Downloader {
|
|
strings:
|
|
$a1 = "pranVacrhan"
|
|
$a2 = "VBA6.DLL"
|
|
$a3 = "Timer1"
|
|
$a4 = "Timer2"
|
|
$a5 = "IsNTAdmin"
|
|
|
|
condition:
|
|
all of them
|
|
|
|
}
|
|
|
|
|
|
rule Hangover_Smackdown_various {
|
|
strings:
|
|
$a1 = "pranVacrhan"
|
|
$a2 = "NaramGaram"
|
|
$a3 = "vampro"
|
|
$a4 = "AngelPro"
|
|
|
|
$b1 = "VBA6.DLL"
|
|
$b2 = "advpack"
|
|
$b3 = "IsNTAdmin"
|
|
|
|
|
|
condition:
|
|
1 of ($a*) and all of ($b*)
|
|
|
|
}
|
|
|
|
rule Hangover_Foler {
|
|
strings:
|
|
$a1 = "\\MyHood"
|
|
$a2 = "UsbP"
|
|
$a3 = "ID_MON"
|
|
|
|
condition:
|
|
all of them
|
|
|
|
}
|
|
|
|
rule Hangover_Appinbot {
|
|
strings:
|
|
$a1 = "CreateToolhelp32Snapshot"
|
|
$a2 = "Process32First"
|
|
$a3 = "Process32Next"
|
|
$a4 = "FIDR/"
|
|
$a5 = "SUBSCRIBE %d"
|
|
$a6 = "CLOSE %d"
|
|
|
|
condition:
|
|
all of them
|
|
|
|
}
|
|
|
|
rule Hangover_Linog {
|
|
strings:
|
|
$a1 = "uploadedfile"
|
|
$a2 = "Error in opening a file.."
|
|
$a3 = "The file could not be opened"
|
|
$a4 = "%sContent-Disposition: form-data; name=\"%s\";filename=\"%s\""
|
|
|
|
condition:
|
|
all of them
|
|
|
|
}
|
|
|
|
|
|
rule Hangover_Iconfall {
|
|
strings:
|
|
$a1 = "iconfall"
|
|
$a2 = "78DDB5A902BB8FFF3F398B45BEDCD152"
|
|
|
|
condition:
|
|
all of them
|
|
|
|
}
|
|
|
|
|
|
rule Hangover_Deksila {
|
|
strings:
|
|
$a1 = "WinInetGet/0.1"
|
|
$a2 = "dekstop2007.ico"
|
|
$a3 = "mozila20"
|
|
|
|
condition:
|
|
all of them
|
|
|
|
}
|
|
|
|
rule Hangover_Auspo {
|
|
strings:
|
|
$a1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV2)"
|
|
$a2 = "POWERS"
|
|
$a3 = "AUSTIN"
|
|
|
|
condition:
|
|
all of them
|
|
|
|
}
|
|
|
|
rule Hangover_Slidewin {
|
|
strings:
|
|
$a1 = "[NumLock]"
|
|
$a2 = "[ScrlLock]"
|
|
$a3 = "[LtCtrl]"
|
|
$a4 = "[RtCtrl]"
|
|
$a5 = "[LtAlt]"
|
|
$a6 = "[RtAlt]"
|
|
$a7 = "[HomePage]"
|
|
$a8 = "[MuteOn/Off]"
|
|
$a9 = "[VolDn]"
|
|
$a10 = "[VolUp]"
|
|
$a11 = "[Play/Pause]"
|
|
$a12 = "[MailBox]"
|
|
$a14 = "[Calc]"
|
|
$a15 = "[Unknown]"
|
|
|
|
condition:
|
|
all of them
|
|
|
|
}
|
|
|
|
|
|
rule Hangover_Gimwlog {
|
|
strings:
|
|
$a1 = "file closed---------------------"
|
|
$a2 = "new file------------------"
|
|
$a3 = "md C:\\ApplicationData\\Prefetch\\"
|
|
|
|
condition:
|
|
all of them
|
|
|
|
}
|
|
|
|
|
|
rule Hangover_Gimwup {
|
|
strings:
|
|
$a1 = "=======inside while==========="
|
|
$a2 = "scan finished"
|
|
$a3 = "logFile.txt"
|
|
|
|
condition:
|
|
all of them
|
|
|
|
}
|
|
|
|
rule Hangover2_Downloader {
|
|
|
|
strings:
|
|
|
|
$a = "WinInetGet/0.1" wide ascii
|
|
|
|
$b = "Excep while up" wide ascii
|
|
|
|
$c = "&file=" wide ascii
|
|
|
|
$d = "&str=" wide ascii
|
|
|
|
$e = "?cn=" wide ascii
|
|
|
|
condition:
|
|
|
|
all of them
|
|
}
|
|
|
|
rule Hangover2_stealer {
|
|
|
|
strings:
|
|
|
|
$a = "MyWebClient" wide ascii
|
|
|
|
$b = "Location: {[0-9]+}" wide ascii
|
|
|
|
$c = "[%s]:[C-%s]:[A-%s]:[W-%s]:[S-%d]" wide ascii
|
|
|
|
condition:
|
|
|
|
all of them
|
|
}
|
|
|
|
rule Hangover2_backdoor_shell {
|
|
|
|
strings:
|
|
|
|
$a = "Shell started at: " wide ascii
|
|
|
|
$b = "Shell closed at: " wide ascii
|
|
|
|
$c = "Shell is already closed!" wide ascii
|
|
|
|
$d = "Shell is not Running!" wide ascii
|
|
|
|
condition:
|
|
|
|
all of them
|
|
}
|
|
|
|
rule Hangover2_Keylogger {
|
|
|
|
strings:
|
|
|
|
$a = "iconfall" wide ascii
|
|
|
|
$b = "/c ipconfig /all > " wide ascii
|
|
|
|
$c = "Global\\{CHKAJESKRB9-35NA7-94Y436G37KGT}" wide ascii
|
|
|
|
condition:
|
|
|
|
all of them
|
|
}
|