27 lines
840 B
Text
27 lines
840 B
Text
/*
|
|
Core Impact Agent known from RocketKitten and WoolenGoldfish APT
|
|
*/
|
|
|
|
|
|
rule CoreImpact_sysdll_exe {
|
|
meta:
|
|
description = "Detects a malware sysdll.exe from the Rocket Kitten APT"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
score = 70
|
|
date = "27.12.2014"
|
|
modified = "2023-01-06"
|
|
hash = "f89a4d4ae5cca6d69a5256c96111e707"
|
|
id = "bac55c00-5d14-59ca-8597-f52b4577be0c"
|
|
strings:
|
|
$s0 = "d:\\nightly\\sandbox_avg10_vc9_SP1_2011\\source\\avg10\\avg9_all_vs90\\bin\\Rele" ascii
|
|
|
|
$s1 = "Mozilla/5.0" fullword ascii
|
|
$s3 = "index.php?c=%s&r=%lx" fullword ascii
|
|
$s4 = "index.php?c=%s&r=%x" fullword ascii
|
|
$s5 = "127.0.0.1" fullword ascii
|
|
$s6 = "/info.dat" ascii
|
|
$s7 = "needroot" fullword ascii
|
|
$s8 = "./plugins/" ascii
|
|
condition:
|
|
$s0 or 6 of them
|
|
}
|