08e8d462fe
RED PILL 🔴 💊
86 lines
1.7 KiB
Text
86 lines
1.7 KiB
Text
private rule LURK0Header : Family LURK0 {
|
|
meta:
|
|
description = "5 char code for LURK0"
|
|
author = "Katie Kleemola"
|
|
last_updated = "07-21-2014"
|
|
|
|
strings:
|
|
$ = { C6 [5] 4C C6 [5] 55 C6 [5] 52 C6 [5] 4B C6 [5] 30 }
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
private rule CCTV0Header : Family CCTV0 {
|
|
meta:
|
|
description = "5 char code for LURK0"
|
|
author = "Katie Kleemola"
|
|
last_updated = "07-21-2014"
|
|
|
|
strings:
|
|
//if its just one char a time
|
|
$ = { C6 [5] 43 C6 [5] 43 C6 [5] 54 C6 [5] 56 C6 [5] 30 }
|
|
// bit hacky but for when samples dont just simply mov 1 char at a time
|
|
$ = { B0 43 88 [3] 88 [3] C6 [3] 54 C6 [3] 56 [0-12] (B0 30 | C6 [3] 30) }
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
private rule SharedStrings : Family {
|
|
meta:
|
|
description = "Internal names found in LURK0/CCTV0 samples"
|
|
author = "Katie Kleemola"
|
|
last_updated = "07-22-2014"
|
|
|
|
strings:
|
|
// internal names
|
|
$i1 = "Butterfly.dll"
|
|
$i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/
|
|
$i3 = "ETClientDLL"
|
|
|
|
// dbx
|
|
$d1 = "\\DbxUpdateET\\" wide
|
|
$d2 = "\\DbxUpdateBT\\" wide
|
|
$d3 = "\\DbxUpdate\\" wide
|
|
|
|
// other folders
|
|
$mc1 = "\\Micet\\"
|
|
|
|
// embedded file names
|
|
$n1 = "IconCacheEt.dat" wide
|
|
$n2 = "IconConfigEt.dat" wide
|
|
|
|
$m1 = "\x00\x00ERXXXXXXX\x00\x00" wide
|
|
$m2 = "\x00\x00111\x00\x00" wide
|
|
$m3 = "\x00\x00ETUN\x00\x00" wide
|
|
$m4 = "\x00\x00ER\x00\x00" wide
|
|
|
|
condition:
|
|
any of them //todo: finetune this
|
|
|
|
}
|
|
|
|
rule LURK0 : Family LURK0 {
|
|
|
|
meta:
|
|
description = "rule for lurk0"
|
|
author = "Katie Kleemola"
|
|
last_updated = "07-22-2014"
|
|
|
|
condition:
|
|
LURK0Header and SharedStrings
|
|
|
|
}
|
|
|
|
rule CCTV0 : Family CCTV0 {
|
|
|
|
meta:
|
|
description = "rule for cctv0"
|
|
author = "Katie Kleemola"
|
|
last_updated = "07-22-2014"
|
|
|
|
condition:
|
|
CCTV0Header and SharedStrings
|
|
|
|
}
|