7 Nisan 2015 Salı

NewPOSThings YARA Rule

rule PoS_Malware_NewPOSThings2015 : newposthings2015
{
meta:
author = “Trend Micro, Inc.”
date = “2015-03-10″
description = “Used to detect NewPoSThings RAM scraper, including 2015 sample set”
strings:
$pdb1 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\NewPosThings\\Release\\NewPosThings.pdb” nocase
$pdb2 = “C:\\Final32\\Release\\Final.pdb” nocase
$pdb3 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\Release\\jsd_12.2.pdb” nocase
$pdb4 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\x64\\Release\\jsd_12.2.pdb” nocase
$string0 = “Software\\Microsoft\\Windows\\CurrentVersion\\Run” wide
$string1 = “Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)” wide
$string2 = “Content-Type: application/x-www-form-urlencoded” wide
$string3 = “Use 64bit version.” wide
$string4 = “SeDebugPrivilege” wide
$string5 = “Java Update Manager” wide
$string6 = “Java\\Javaj.exe” wide
$string7 = “lsass.exe” wide
$string8 = “aW5zZXJ0″
condition:
(any of ($pdb*)) or (all of ($str*))
}

Ref: http://blog.trendmicro.com

rule newposthings
{
strings:
$pdb1 = "C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\NewPosThings\\Release\\NewPosThings.pdb" nocase
$pdb2 = "C:\\Final32\\Release\\Final.pdb" nocase
$pdb3 = "C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\Release\\jsd_12.2.pdb" nocase
    $str1 = "install =>"
    $str2 = "update =>"
    $str3 = "cs=bG9n&m="
    $str4 = "cs=aW5zZXJ0&p="
  condition:
    (any of ($pdb*)) or (all of ($str*))
}

Ref: www.arbornetworks.com

Hiç yorum yok:

Yorum Gönder