1 Nisan 2015 Çarşamba

njRAT IoC Rule

<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="0df46744-c585-4956-aa80-4ad873879eef" last-modified="2014-03-15T01:15:13" xmlns="http://schemas.mandiant.com/2010/ioc">
  <short_description> njRAT Trojan</short_description>
    <authored_by>@iocbucket</authored_by>
  <authored_date>2014-03-15T01:05:10</authored_date>
  <links />
  <definition>
    <Indicator operator="OR" id="fa9132c1-60ca-47d3-ba8a-e37d7e1bba3c">
      <IndicatorItem id="042d544b-da96-428c-ada9-4d3a2430b62d" condition="is">
        <Context document="FileItem" search="FileItem/StringList/string" type="mir" />
        <Content type="string">c:\users\allosh hacker\documents\visual studio 2012\Projects\allosh\allosh\obj\Debug\Windows.pdb</Content>
      </IndicatorItem>
      <Indicator operator="AND" id="e582324c-7d69-4fb3-9651-3d8387713ea8">
        <IndicatorItem id="aa0a4f56-7f12-4205-885e-85071f631456" condition="is">
          <Context document="FileItem" search="FileItem/FileName" type="mir" />
          <Content type="string">psiphon.exe</Content>
        </IndicatorItem>
        <IndicatorItem id="b7f05f86-2ebd-435f-a0b5-d0c53b559230" condition="is">
          <Context document="FileItem" search="FileItem/Md5sum" type="mir" />
          <Content type="md5">28bf01f67db4a5e8e6174b066775eae0</Content>
        </IndicatorItem>
        <IndicatorItem id="dd75ce96-15ea-4239-b67a-f360097c8773" condition="is">
          <Context document="FileItem" search="FileItem/PEInfo/DigitalSignature/SignatureExists" type="mir" />
          <Content type="string">False</Content>
        </IndicatorItem>

      </Indicator>
      <Indicator operator="AND" id="ae84c026-5306-48ac-a3d6-24b784667e11">
        <IndicatorItem id="0f75fa7a-067d-4678-a0f3-482dda2dea8a" condition="contains">
          <Context document="FileItem" search="FileItem/FilePath" type="mir" />
          <Content type="string">AppData\Local</Content>
        </IndicatorItem>
        <Indicator operator="OR" id="adf63062-60b5-4b2c-a517-f2deafc00067">
          <IndicatorItem id="e9527c20-3baa-4726-a9b9-a87f9f6694e7" condition="is">
            <Context document="FileItem" search="FileItem/Md5sum" type="mir" />
            <Content type="md5">e1f2b15ec9f9a282065c931ec32a44b0</Content>
          </IndicatorItem>
          <IndicatorItem id="ea5ab636-1a51-43ca-ac65-4fc7c5a18327" condition="is">
            <Context document="FileItem" search="FileItem/FileName" type="mir" />
            <Content type="string">Temppsiphon3.exe</Content>
          </IndicatorItem>
          <IndicatorItem id="0478f943-62ef-4d48-986a-34a22479a0fc" condition="is">
            <Context document="FileItem" search="FileItem/Md5sum" type="mir" />
            <Content type="md5">81287134d7aa541beae4b000d4ab3f19</Content>
          </IndicatorItem>
          <IndicatorItem id="a1ac5932-769c-4c01-97b2-5a4653d45d8f" condition="is">
            <Context document="FileItem" search="FileItem/FileName" type="mir" />
            <Content type="string">Tempserver.exe</Content>
          </IndicatorItem>
        </Indicator>
      </Indicator>
      <Indicator operator="AND" id="c7d602f2-c9af-45f5-9695-a4e3bc1ed814">
        <IndicatorItem id="a1398c40-784d-4127-a3e1-7ab63a3e66a7" condition="contains">
          <Context document="FileItem" search="FileItem/FilePath" type="mir" />
          <Content type="string">Start Menu\Programs\Startup\</Content>
        </IndicatorItem>
        <IndicatorItem id="792f8f7b-060d-4ba7-bad8-f2022ba31076" condition="is">
          <Context document="FileItem" search="FileItem/FileName" type="mir" />
          <Content type="string">chrome.exe</Content>
        </IndicatorItem>
      </Indicator>
      <Indicator operator="AND" id="0ea23c2c-8d76-4e3e-89c6-11f66264fa7c">
        <IndicatorItem id="67af28cb-54b8-47b6-8a30-f4ca94540b06" condition="contains">
          <Context document="FileItem" search="FileItem/FilePath" type="mir" />
          <Content type="string">AppData\Roaming</Content>
        </IndicatorItem>
        <Indicator operator="OR" id="bbfca743-04bd-41c6-8214-91e5920f30f2">
          <IndicatorItem id="cc2399f9-43f4-4ea9-893a-94777680e2cd" condition="is">
            <Context document="FileItem" search="FileItem/FileName" type="mir" />
            <Content type="string">Explorer.exe</Content>
          </IndicatorItem>
          <IndicatorItem id="9ba149e9-6317-4817-a847-a14d4260244c" condition="is">
            <Context document="FileItem" search="FileItem/FileName" type="mir" />
            <Content type="string">Explorer.exe.tmp</Content>
          </IndicatorItem>
        </Indicator>
      </Indicator>
      <Indicator operator="AND" id="cc6dd535-0936-4190-8650-5a1fde6be246">
        <IndicatorItem id="2dd9c663-261b-49c7-95a9-112227d11e6a" condition="is">
          <Context document="PortItem" search="PortItem/remoteIP" type="mir" />
          <Content type="IP">31.9.48.141</Content>
        </IndicatorItem>
        <IndicatorItem id="80a36933-28cd-400d-b810-2ac040a87be9" condition="is">
          <Context document="PortItem" search="PortItem/remotePort" type="mir" />
          <Content type="int">1960</Content>
        </IndicatorItem>
      </Indicator>
    </Indicator>
  </definition>
</ioc>

Ref: www.iocbucket.com

Hiç yorum yok:

Yorum Gönder