-
Notifications
You must be signed in to change notification settings - Fork 81
/
PNGRat.yar
39 lines (36 loc) · 1.48 KB
/
PNGRat.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
rule PNGRat_C2_Decode
/*
.text:180002CCE 8A 43 01 mov al, [rbx+1]
.text:180002CD1 B1 71 mov cl, 71h
.text:180002CD3 48 8D 54 24 30 lea rdx, [rsp+148h+Src] ; Src
.text:180002CD8 C0 E0 04 shl al, 4 ; Shift Logical Left
.text:180002CDB 41 B8 04 00 00 00 mov r8d, 4; Size
.text:180002CE1 02 03 add al, [rbx] ; Add
.text:180002CE3 2A C1 sub al, cl; Integer Subtraction
*/
{
meta:
Author = "BB RSAIR"
Date = "15Jan2015"
reference = "https://community.rsa.com/docs/DOC-30015"
strings:
$decode = {8A 43 [0-1] B1 71 48 [0-4] C0 E0 04 41 B8 04 [0-3] 02 03 2A C1 }
condition:
$decode and uint16( 0) == 0x5A4D
}
rule PngRatV2
{
meta:
Author = "EMH RSAIR"
Date = "14Dec2014"
reference = "https://community.rsa.com/docs/DOC-30015"
strings:
$mz = { 4D 5A }
$reg_pw = "abe2869f-9b47-4cd9-a358-c22904dba7f7"
$stego_c2 = "http://social.technet.microsoft.com/Forums/" nocase
$ip_string = "%u.%u.%u.%u"
$microsoft = {C6 44 24 30 40 C6 44 24 31 4D C6 44 24 32 49 C6 44 24 33 43 C6 44 24 34 52 C6 44 24 35 30 C6 44 24 36 53 C6 44 24 37 30 C6 44 24 38 46 C6 44 24 39 54 C6 44 24}
$corporation = {C6 44 24 30 43 48 8B CB C6 44 24 31 30 C6 44 24 32 52 C6 44 24 33 50 C6 44 24 34 30 C6 44 24 35 52 C6 44 24 36 41 C6 44 24 37 54 C6 44 24 38 49 C6 44 24 39 30 C6 44 24 3A 4E C6 44 24 3B 00}
condition:
all of them or ($mz and $reg_pw and $ip_string and $microsoft and $corporation)
}