17 lines
798 B
Text
17 lines
798 B
Text
rule Poisioned_Hurricane_Certs
|
|
{
|
|
meta:
|
|
Author = "mikesxrs"
|
|
Description = "Looking for certificates found in report"
|
|
Reference = "https://www.fireeye.com/blog/threat-research/2014/08/operation-poisoned-hurricane.html"
|
|
Date = "2017-10-28"
|
|
strings:
|
|
$cert1 = {06 55 69 a3 e2 61 40 91 28 a4 0a ff a9 0d 6d 10} //Police Mutual Aid Association
|
|
$cert2 = {03 e5 a0 10 b0 5c 92 87 f8 23 c2 58 5f 54 7b 80} //MOCOMSYS INC
|
|
$cert3 = {2e df b9 fd cf a0 0c cb 5a b0 09 ee 3a db 97 b9} //QTI INTERNATIONAL INC
|
|
$cert4 = {0f e7 df 6c 4b 9a 33 b8 3d 04 e2 3e 98 a7 7c ce} //PIXELPLUS CO., LTD
|
|
$cert5 = {1D 2B C8 46 D1 00 D8 FB 94 FA EA 4B 7B 5F D8 94} //Ssangyong Motor Co.
|
|
$cert6 = {72 B4 F5 66 7F 69 F5 43 21 A9 40 09 97 4C CC F8} //jtc
|
|
condition:
|
|
any of them
|
|
}
|