08e8d462fe
RED PILL 🔴 💊
23 lines
No EOL
432 B
Text
23 lines
No EOL
432 B
Text
|
|
import "pe"
|
|
import "math"
|
|
|
|
rule apt_ProjectSauron_generic_pipe_backdoor {
|
|
meta:
|
|
copyright = "Kaspersky Lab"
|
|
description = "Rule to detect ProjectSauron generic pipe backdoors"
|
|
version = "1.0"
|
|
reference = "https://securelist.com/blog/"
|
|
|
|
strings:
|
|
$a = { C7 [2-3] 32 32 32 32 E8 }
|
|
$b = { 42 12 67 6B }
|
|
$c = { 25 31 5F 73 }
|
|
$d = "rand"
|
|
$e = "WS2_32"
|
|
|
|
condition:
|
|
uint16(0) == 0x5A4D and
|
|
(all of them) and
|
|
filesize < 400000
|
|
} |