15 lines
641 B
Text
15 lines
641 B
Text
rule SparrowDoor_loader {
|
|
meta:
|
|
author = "NCSC"
|
|
description = "Targets code features of the SparrowDoor loader. This rule detects the previous variant and this new variant."
|
|
reference = "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf"
|
|
date = "2022-02-28"
|
|
hash1 = "989b3798841d06e286eb083132242749c80fdd4d"
|
|
strings:
|
|
$xor_algo = {8B D0 83 E2 03 8A 54 14 10 30 14 30 40 3B C1}
|
|
$rva = {8D B0 [4] 8D 44 24 ?? 50 6A 40 6A 05 56} // load RVA of process exe
|
|
$lj = {2B CE 83 E9 05 8D [3] 52 C6 06 E9 89 4E 01 8B [3] 50 6A 05 56} // calculate long jump
|
|
condition:
|
|
(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and
|
|
all of them
|
|
}
|