Sneed-Reactivity/yara-mikesxrs/kaspersky/apt_ProjectSauron_generic_pipe_backdoor.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

23 lines
No EOL
432 B
Text

import "pe"
import "math"
rule apt_ProjectSauron_generic_pipe_backdoor {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect ProjectSauron generic pipe backdoors"
version = "1.0"
reference = "https://securelist.com/blog/"
strings:
$a = { C7 [2-3] 32 32 32 32 E8 }
$b = { 42 12 67 6B }
$c = { 25 31 5F 73 }
$d = "rand"
$e = "WS2_32"
condition:
uint16(0) == 0x5A4D and
(all of them) and
filesize < 400000
}