Sneed-Reactivity/yara-mikesxrs/PWC/Tendrit_2014.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

49 lines
789 B
Text

rule Tendrit_2014 : OnePHP
{
meta:
author = "PwC Cyber Threat Operations :: @tlansec"
date="2014-12"
ref="[http://pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-christmas-from-an-apt-actor.html]"
hash = "7b83a7cc1afae7d8b09483e36bc8dfbb"
strings:
$url1="favicon"
$url2="policyref"
$url3="css.ashx"
$url4="gsh.js"
$url5="direct"
$error1="Open HOST_URL error"
$error2="UEDone"
$error3="InternetOpen error"
$error4="Create process fail"
$error5="cmdshell closed"
$error6="invalid command"
$error7="mget over&bingle"
$error8="mget over&fail"
condition:
(all of ($url*) or all of ($error*)) and filesize < 300KB
}