08e8d462fe
RED PILL 🔴 💊
31 lines
1.5 KiB
Text
31 lines
1.5 KiB
Text
rule madnesspro_strings
|
|
{
|
|
meta:
|
|
author = "Brian Wallace @botnet_hunter"
|
|
author_email = "bwall@ballastsecurity.net"
|
|
date = "2014-03-13"
|
|
description = "Identify Madness Pro"
|
|
strings:
|
|
$c = "YXBvS0FMaXBsaXM9"
|
|
$str5 = "d3Rm" fullword
|
|
$str6 = "ZXhl" fullword
|
|
$string0 = "Referer: "
|
|
$string1 = "regini "
|
|
$string2 = "GetAtomNameA (atom, s, sizeof(s)) "
|
|
$string3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion"
|
|
$string4 = "dmVyPQ"
|
|
$string5 = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cRXhwbG9yZXJcU2hlbGwgRm9sZGVycw"
|
|
$string6 = "U1lTVEVNXENvbnRyb2xTZXQwMDJcc2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRh"
|
|
$string7 = "Oio6RW5hYmxlZDo"
|
|
$string8 = "TW96aWxsYS80LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyBubDsgcnY6MS45LjIuMykgR2Vja28vMjAxMDA0MDEgRmly"
|
|
$string9 = "Q2hlY2tUb2tlbk1lbWJlcnNoaXA"
|
|
$string10 = "R0g1Sy1HS0w4LUNQUDQtREUyNA"
|
|
$string11 = "cookie"
|
|
$string12 = "U1lTVEVNXENvbnRyb2xTZXQwMDNcc2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRh"
|
|
$string13 = "Content-Type: application/x-www-form-urlencoded"
|
|
$string14 = "Internet Explorer"
|
|
$string15 = "U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFNoYXJlZEFjY2Vzc1xQYXJhbWV0ZXJzXEZpcmV3YWxsUG9saWN5XFN0"
|
|
$string16 = "U1lTVEVNXENvbnRyb2xTZXQwMDFcc2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRh"
|
|
condition:
|
|
all of them
|
|
}
|