08e8d462fe
RED PILL 🔴 💊
24 lines
No EOL
784 B
Text
24 lines
No EOL
784 B
Text
rule PoS_Malware_RawPOS2015_dumper_old : RawPOS2015_dumper_old
|
|
{
|
|
meta:
|
|
author = "Trend Micro, Inc."
|
|
date = "2015-03-10"
|
|
description = "Used to detect RawPOS memory dumper, pre-2012"
|
|
reference = "http://sjc1-te-ftp.trendmicro.com/images/tex/pdf/RawPOS%20Technical%20Brief.pdf"
|
|
sample_filetype = "exe"
|
|
strings:
|
|
$string0 = " Full private dump of all running processes"
|
|
$string1 = " show info on Process like Path"
|
|
$string2 = " Show this help"
|
|
$string3 = " List all running processes"
|
|
$string4 = "Dumping private memory for pid %s to %s.dmp..."
|
|
$string5 = "%s-%d.dmp"
|
|
$string6 = "memdump\\%s-%d.dmp"
|
|
$string7 = "del memdump\\"
|
|
$string8 = "Process Memory Dumper"
|
|
$string9 = "Base size: %u"
|
|
$string10 = "Module ID: %u"
|
|
$string11 = "Hex: %xh"
|
|
condition:
|
|
all of ($string*)
|
|
} |