08e8d462fe
RED PILL 🔴 💊
40 lines
1.5 KiB
Text
40 lines
1.5 KiB
Text
rule powerstager
|
|
{
|
|
meta:
|
|
author = "Jeff White - jwhite@paloaltonetworks.com @noottrak"
|
|
date = "02JAN2018"
|
|
hash1 = "758097319d61e2744fb6b297f0bff957c6aab299278c1f56a90fba197795a0fa" //x86
|
|
hash2 = "83e714e72d9f3c500cad610c4772eae6152a232965191f0125c1c6f97004b7b5" //x64
|
|
description = "Detects PowerStager Windows executable, both x86 and x64"
|
|
reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/"
|
|
|
|
strings:
|
|
$filename = /%s\\[a-zA-Z0-9]{12}/
|
|
$pathname = "TEMP" wide ascii
|
|
// $errormsg = "The version of this file is not compatible with the version of Windows you're running." wide ascii
|
|
$filedesc = "Lorem ipsum dolor sit amet, consecteteur adipiscing elit" wide ascii
|
|
$apicall_01 = "memset"
|
|
$apicall_02 = "getenv"
|
|
$apicall_03 = "fopen"
|
|
$apicall_04 = "memcpy"
|
|
$apicall_05 = "fwrite"
|
|
$apicall_06 = "fclose"
|
|
$apicall_07 = "CreateProcessA"
|
|
$decoder_x86_01 = { 8D 95 [4] 8B 45 ?? 01 D0 0F B6 18 8B 4D ?? }
|
|
$decoder_x86_02 = { 89 C8 0F B6 84 05 [4] 31 C3 89 D9 8D 95 [4] 8B 45 ?? 01 D0 88 08 83 45 [2] 8B 45 ?? 3D }
|
|
$decoder_x64_01 = { 8B 85 [4] 48 98 44 0F [7] 8B 85 [4] 48 63 C8 48 }
|
|
$decoder_x64_02 = { 48 89 ?? 0F B6 [3-6] 44 89 C2 31 C2 8B 85 [4] 48 98 }
|
|
|
|
condition:
|
|
uint16be(0) == 0x4D5A
|
|
and
|
|
all of ($apicall_*)
|
|
and
|
|
$filename
|
|
and
|
|
$pathname
|
|
and
|
|
$filedesc
|
|
and
|
|
(2 of ($decoder_x86*) or 2 of ($decoder_x64*))
|
|
}
|