08e8d462fe
RED PILL 🔴 💊
18 lines
735 B
Text
18 lines
735 B
Text
|
|
rule MAL_CMD_Script_Obfuscated_Feb19_1 {
|
|
meta:
|
|
description = "Detects obfuscated batch script using env variable sub-strings"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://twitter.com/DbgShell/status/1101076457189793793"
|
|
date = "2019-03-01"
|
|
hash1 = "deed88c554c8f9bef4078e9f0c85323c645a52052671b94de039b438a8cff382"
|
|
id = "8cc99ff5-968c-5b12-9aac-72279c1b8a6b"
|
|
strings:
|
|
$h1 = { 40 65 63 68 6F 20 6F 66 66 0D 0A 73 65 74 20 }
|
|
$s1 = { 2C 31 25 0D 0A 65 63 68 6F 20 25 25 }
|
|
condition:
|
|
uint16(0) == 0x6540 and filesize < 200KB and
|
|
$h1 at 0 and
|
|
uint16(filesize-3) == 0x0d25 and uint8(filesize-1) == 0x0a and
|
|
$s1 in (filesize-200..filesize)
|
|
}
|