1 Temmuz 2014 Salı

Trojan.Karagany Yara Rule

Karagany Yara rule:
private rule isPE
{
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x00004550
}
rule Trojan _ Karagany
{
meta:
alias = “Dreamloader”
strings:
$s1 = “neosphere” wide ascii
$s2 = “10000000000051200” wide ascii
$v1 = “&fichier” wide ascii
$v2 = “&identifiant” wide ascii
$c1 = “xmonstart” wide ascii
$c2 = “xmonstop” wide ascii
$c3 = “xgetfile” wide ascii
$c4 = “downadminexec” wide ascii
$c5 = “xdiex” wide ascii
$c6 = “xrebootx” wide ascii
condition:
isPE and (($s1 and $s2) or ($v1 and $v2) or (any of ($c*)))
}