API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 22nd, 2014
296
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.77 KB | None | 0 0
raw download clone embed print report
  1. rule FinSpy
  2. {
  3. meta:
  4. detection = "FinFisher FinSpy"
  5.  
  6. strings:
  7. $password1 = /\/scomma kbd101\.sys/ wide ascii
  8. $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
  9. $password3 = /\/scomma excel2010\.part/ wide ascii
  10. $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
  11. $password5 = /\/stab MSVCR32\.manifest/ wide ascii
  12. $password6 = /\/scomma MSN2010\.dll/ wide ascii
  13. $password7 = /\/scomma Firefox\.base/ wide ascii
  14. $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
  15. $password9 = /\/scomma IE7setup\.sys/ wide ascii
  16. $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
  17. $password11 = /\/scomma office2007\.cab/ wide ascii
  18. $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
  19. $password13 = /\/scomma outlook2007\.dll/ wide ascii
  20. $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii
  21.  
  22. $screenrec1 = /(s)111o00000000\.dat/ wide ascii
  23. $screenrec2 = /(t)111o00000000\.dat/ wide ascii
  24. $screenrec3 = /(f)113o00000000\.dat/ wide ascii
  25. $screenrec4 = /(w)114o00000000\.dat/ wide ascii
  26. $screenrec5 = /(u)112Q00000000\.dat/ wide ascii
  27. $screenrec6 = /(v)112Q00000000\.dat/ wide ascii
  28. $screenrec7 = /(v)112O00000000\.dat/ wide ascii
  29.  
  30. //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
  31. //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii
  32.  
  33. $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii
  34.  
  35. $skyperec1 = /\[%19s\] %25s\: %s/ wide ascii
  36. $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
  37. $skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii
  38.  
  39. $mouserec1 = /(m)sc183Q000\.dat/ wide ascii
  40. $mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii
  41.  
  42. $driver = /\\\\\\\\\.\\\\driverw/ wide ascii
  43.  
  44. $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
  45. $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii
  46.  
  47. $versions1 = /(f)inspyv2/ nocase
  48. $versions2 = /(f)inspyv4/ nocase
  49.  
  50. $bootkit1 = /(b)ootkit_x32driver/
  51. $bootkit2 = /(b)ootkit_x64driver/
  52.  
  53. $typo1 = /(S)creenShort Recording/ wide
  54.  
  55. $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
  56.  
  57. condition:
  58. 8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or any of ($mouserec*) or $driver or any of ($janedow*) or any of ($versions*) or any of ($bootkit*) or $typo1 or $mssounddx
  59. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!