08e8d462fe
RED PILL 🔴 💊
39 lines
686 B
Text
39 lines
686 B
Text
rule smbWormTool
|
|
|
|
{
|
|
|
|
meta:
|
|
|
|
author = "PwC Cyber Threat Operations"
|
|
|
|
description = "SMB Worm Tool"
|
|
|
|
version = "1.0"
|
|
|
|
created = "2014-12-30"
|
|
|
|
osint_ref =
|
|
|
|
"http://totalhash.com/analysis/db6cae5734e433b195d8fc3252cbe58469e42bf3"
|
|
|
|
exemplar_md5 = "61bf45be644e03bebd4fbf33c1c14be2"
|
|
|
|
reference = "http://pwc.blogs.com/cyber_security_updates/2015/01/destructive-malware.html"
|
|
|
|
strings:
|
|
|
|
$STR1 = "%s\\Admin$\\%s.exe" wide ascii nocase
|
|
|
|
$STR2 ="NetScheduleJobAdd" wide ascii nocase
|
|
|
|
$STR3 = "SetServiceStatus failed, error code" wide ascii nocase
|
|
|
|
$STR4 = "LoadLibrary( NTDLL.DLL ) Error" wide ascii nocase
|
|
|
|
$STR5 = "NTLMSSP" wide ascii nocase
|
|
|
|
condition:
|
|
|
|
all of them
|
|
|
|
}
|