08e8d462fe
RED PILL 🔴 💊
17 lines
No EOL
607 B
Text
17 lines
No EOL
607 B
Text
rule apt_c16_win_swisyn : Memory
|
|
{
|
|
meta:
|
|
author = "@dragonthreatlab"
|
|
md5 = "a6a18c846e5179259eba9de238f67e41"
|
|
description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
|
|
date = "2015/01/11"
|
|
reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
|
|
strings:
|
|
$mz = {4D 5A}
|
|
$str1 = "/ShowWU" ascii
|
|
$str2 = "IsWow64Process"
|
|
$str3 = "regsvr32 "
|
|
$str4 = {8A 11 2A 55 FC 8B 45 08 88 10 8B 4D 08 8A 11 32 55 FC 8B 45 08 88 10}
|
|
condition:
|
|
$mz at 0 and all of ($str*)
|
|
} |