08e8d462fe
RED PILL 🔴 💊
21 lines
752 B
Text
21 lines
752 B
Text
rule NK_GOLDBACKDOOR_Main
|
|
{
|
|
meta:
|
|
author= "Silas Cutler"
|
|
description = "Detection for Main component of GOLDBACKDOOR"
|
|
reference = "https://stairwell.com/news/threat-research-the-ink-stained-trail-of-goldbackdoor/"
|
|
version = "0.1"
|
|
strings:
|
|
$str1 = "could not exec bash command." wide
|
|
$str2 = "%userprofile%\\AppData" wide
|
|
$str3 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.3112.113 Safari/537.36" wide
|
|
$str4 = "tickount: %d"
|
|
$str5 = "Service-0x" wide
|
|
$str6 = "Main Returned"
|
|
$b64_1 = "TwBuAGUARAByAHYAVQBwAGQAYQB0AGUAAAA="
|
|
$b64_2 = "aGFnZW50dHJheQ=="
|
|
$b64_3 = "YXBwbGljYXRpb24vdm5kLmdvb2dsZS1hcHBzLmZvbGRlcg=="
|
|
$pdb = "D:\\Development\\GOLD-BACKDOOR\\"
|
|
condition:
|
|
4 of them or ( $pdb and 1 of them )
|
|
}
|