23 lines
No EOL
1.1 KiB
Text
23 lines
No EOL
1.1 KiB
Text
rule PoS_Malware_NewPOSThings2015 : newposthings2015
|
|
{
|
|
meta:
|
|
author = “Trend Micro, Inc.”
|
|
date = “2015-03-10”
|
|
description = “Used to detect NewPoSThings RAM scraper, including 2015 sample set”
|
|
strings:
|
|
$pdb1 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\NewPosThings\\Release\\NewPosThings.pdb” nocase
|
|
$pdb2 = “C:\\Final32\\Release\\Final.pdb” nocase
|
|
$pdb3 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\Release\\jsd_12.2.pdb” nocase
|
|
$pdb4 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\x64\\Release\\jsd_12.2.pdb” nocase
|
|
$string0 = “Software\\Microsoft\\Windows\\CurrentVersion\\Run” wide
|
|
$string1 = “Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)” wide
|
|
$string2 = “Content-Type: application/x-www-form-urlencoded” wide
|
|
$string3 = “Use 64bit version.” wide
|
|
$string4 = “SeDebugPrivilege” wide
|
|
$string5 = “Java Update Manager” wide
|
|
$string6 = “Java\\Javaj.exe” wide
|
|
$string7 = “lsass.exe” wide
|
|
$string8 = “aW5zZXJ0”
|
|
condition:
|
|
(any of ($pdb*)) or (all of ($str*))
|
|
} |