08e8d462fe
RED PILL 🔴 💊
51 lines
1 KiB
Text
51 lines
1 KiB
Text
private rule SurtrCode : Surtr Family {
|
|
meta:
|
|
author = "Katie Kleemola"
|
|
description = "Code features for Surtr Stage1"
|
|
last_updated = "2014-07-16"
|
|
|
|
strings:
|
|
//decrypt config
|
|
$ = { 8A ?? ?? 84 ?? ?? 74 ?? 3C 01 74 ?? 34 01 88 41 3B ?? 72 ?? }
|
|
//if Burn folder name is not in strings
|
|
$ = { C6 [3] 42 C6 [3] 75 C6 [3] 72 C6 [3] 6E C6 [3] 5C }
|
|
//mov char in _Fire
|
|
$ = { C6 [3] 5F C6 [3] 46 C6 [3] 69 C6 [3] 72 C6 [3] 65 C6 [3] 2E C6 [3] 64 }
|
|
|
|
condition:
|
|
any of them
|
|
|
|
}
|
|
|
|
private rule SurtrStrings : Surtr Family {
|
|
meta:
|
|
author = "Katie Kleemola"
|
|
description = "Strings for Surtr"
|
|
last_updated = "2014-07-16"
|
|
|
|
strings:
|
|
$ = "\x00soul\x00"
|
|
$ = "\x00InstallDll.dll\x00"
|
|
$ = "\x00_One.dll\x00"
|
|
$ = "_Fra.dll"
|
|
$ = "CrtRunTime.log"
|
|
$ = "Prod.t"
|
|
$ = "Proe.t"
|
|
$ = "Burn\\"
|
|
$ = "LiveUpdata_Mem\\"
|
|
|
|
condition:
|
|
any of them
|
|
|
|
}
|
|
|
|
rule Surtr : Family {
|
|
meta:
|
|
author = "Katie Kleemola"
|
|
description = "Rule for Surtr Stage One"
|
|
last_updated = "2014-07-16"
|
|
|
|
condition:
|
|
SurtrStrings or SurtrCode
|
|
|
|
}
|