Sneed-Reactivity/yara-mikesxrs/Trend Micro/PoS_Malware_RawPOS2015_dumper_old.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

24 lines
No EOL
784 B
Text

rule PoS_Malware_RawPOS2015_dumper_old : RawPOS2015_dumper_old
{
meta:
author = "Trend Micro, Inc."
date = "2015-03-10"
description = "Used to detect RawPOS memory dumper, pre-2012"
reference = "http://sjc1-te-ftp.trendmicro.com/images/tex/pdf/RawPOS%20Technical%20Brief.pdf"
sample_filetype = "exe"
strings:
$string0 = " Full private dump of all running processes"
$string1 = " show info on Process like Path"
$string2 = " Show this help"
$string3 = " List all running processes"
$string4 = "Dumping private memory for pid %s to %s.dmp..."
$string5 = "%s-%d.dmp"
$string6 = "memdump\\%s-%d.dmp"
$string7 = "del memdump\\"
$string8 = "Process Memory Dumper"
$string9 = "Base size: %u"
$string10 = "Module ID: %u"
$string11 = "Hex: %xh"
condition:
all of ($string*)
}