Sneed-Reactivity/yara-mikesxrs/Checkpoint/ZZ_breakwin_meteor_batch_files.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

23 lines
885 B
Text

rule ZZ_breakwin_meteor_batch_files {
meta:
description = "Detect the batch files used in the attacks"
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
author = "Check Point Research"
date = "22-07-2021"
strings:
$filename_0 = "mscap.bmp"
$filename_1 = "mscap.jpg"
$filename_2 = "msconf.conf"
$filename_3 = "msmachine.reg"
$filename_4 = "mssetup.exe"
$filename_5 = "msuser.reg"
$filename_6 = "msapp.exe"
$filename_7 = "bcd.rar"
$filename_8 = "bcd.bat"
$filename_9 = "msrun.bat"
$command_line_0 = "powershell -Command \"%exclude_command% '%defender_exclusion_folder%"
$command_line_1 = "start /b \"\" update.bat hackemall"
condition:
4 of ($filename_*) or
any of ($command_line_*)
}