08e8d462fe
RED PILL 🔴 💊
36 lines
1.3 KiB
Text
36 lines
1.3 KiB
Text
|
|
rule Backdoor_Naikon_APT_Sample1 {
|
|
meta:
|
|
description = "Detects backdoors related to the Naikon APT"
|
|
author = "Florian Roth"
|
|
reference = "https://goo.gl/7vHyvh"
|
|
date = "2015-05-14"
|
|
hash = "d5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba"
|
|
hash = "f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96"
|
|
strings:
|
|
$x0 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" fullword ascii
|
|
$x1 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii
|
|
$x2 = "greensky27.vicp.net" fullword ascii
|
|
$x3 = "\\tempvxd.vxd.dll" fullword wide
|
|
$x4 = "otna.vicp.net" fullword ascii
|
|
$x5 = "smithking19.gicp.net" fullword ascii
|
|
|
|
$s1 = "User-Agent: webclient" fullword ascii
|
|
$s2 = "\\User.ini" fullword ascii
|
|
$s3 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200" ascii
|
|
$s4 = "\\UserProfile.dll" fullword wide
|
|
$s5 = "Connection:Keep-Alive: %d" fullword ascii
|
|
$s6 = "Referer: http://%s:%d/" fullword ascii
|
|
$s7 = "%s %s %s %d %d %d " fullword ascii
|
|
$s8 = "%s--%s" fullword wide
|
|
$s9 = "Run File Success!" fullword wide
|
|
$s10 = "DRIVE_REMOTE" fullword wide
|
|
$s11 = "ProxyEnable" fullword wide
|
|
$s12 = "\\cmd.exe" fullword wide
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 1000KB and
|
|
(
|
|
1 of ($x*) or 7 of ($s*)
|
|
)
|
|
}
|
|
|