JohnGalt14

Regin Backdoor - Yara Rules

Nov 24th, 2014
5,027
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /* Scroll down to find a YARA rule set to detect Regin Backdoor samples
  2.  
  3. Update 11.03.15 17:15
  4. New False Positive:
  5. 54263888c64a7f010d3b5e399369b0f3ff3af0a0de8adb502b98277533e4d45f - Windows Serial Driver
  6.  
  7. Update 12.01.15 11:30
  8. New False Positive:
  9. 519a0d7ebc75dcf65c80d61f952768e49c33c5c7c320a4cc4b4a12a0e9f3337d - SP1.CAB MSDN Disc 3498 (Microsoft)
  10.  
  11. Update 09.01.15 16:15
  12. New False Positive:
  13. 9009ca5c5f6e2c7a776896e406805bc4c627028ce90d8fe566a6b2190c7e0106 - Windows Media Connect, code_page: Korean
  14.  
  15. Update 01.01.15 22:11
  16. New False Positive:
  17. 581730d7cce49af90efad5f904ce205ee7123e6c0d206867fb8ad22559fa0556 - Windows Media Component Setup Application
  18.  
  19. Update 29.12.14 11:35
  20. New False Positive:
  21. b04a85ef2edbc5ac7b312e9d57b533d9d355d0c7cbbd24a8085c6873baf9411f - Windows SCSI Driver
  22.  
  23. Update 23.12.14 15:50
  24. New False Positive:
  25. 0099940a366b401f30faaf820f4815083778383a2b1e9fab58e16d10b8965e3f - USB Scanner Driver
  26.  
  27. Update 15.12.14 11:15
  28. Updated ReginScanner on Github (0.7: Filtered False Positive Hashes)
  29. https://github.com/Neo23x0/ReginScanner
  30.  
  31. Update 06.12.14 11:00
  32. New False Positives SHA256s and Updated Yara rule "Regin_Sample_1"
  33. a26db2eb9f3e2509b4eba949db97595cc32332d9321df68283bfc102e66d766f - Windows Serial Driver
  34. 18cd54d163c9c5f16e824d13c411e21fd7616d34e9f1cf2adcbf869ed6aeeed4 - CD Tower Web Client
  35.  
  36. Update 03.12.14 18:10
  37. Updated false positives
  38.  
  39. Update 02.12.14 09:15
  40. Added new and yet unknown Regin sample found via Virustotal with SHA256
  41. 627dc5599c28de3c494496399b39f3aac7049586e72cbdb08bea01bf40166c23
  42.  
  43. Update 28.11.14 14:00
  44. False Positive detected. Microsoft XP USB Scanner Driver. See false positive hash list below.
  45. Updated rule "Regin_APT_KernelDriver_Generic_B" to exclude string that appears in Windows XP usb scanner driver.
  46.  
  47. Update 28.11.14 09:00
  48. Check out ReginScanner to scan for multiple IOCs at once. It does not ship with the Kaspersky Yara rules. You should include them manually. (see the link below)
  49. https://github.com/Neo23x0/ReginScanner
  50.  
  51. Update 27.11.14
  52. I added a new signature set targeting new samples or samples that were not detected by the generic rules.
  53.  
  54. Tested on:
  55. - Windows 7 x64
  56. - Windows 2003
  57. - Windows 2008 R2
  58.  
  59. False Positives:
  60. The signatures are known to generate False Positives on certain Windows XP USB scanner drivers. (see list below for hashes)
  61.  
  62. Please check back with an MD5/SHA1/SHA256 hash if you found a sample that has Antivirus hits and is not in this list.
  63.  
  64. Known sample list - SHA256:
  65. 20831e820af5f41353b5afab659f2ad42ec6df5d9692448872f3ed8bbb40ab92
  66. 225e9596de85ca7b1025d6e444f6a01aa6507feef213f4d2e20da9e7d5d8e430
  67. 392f32241cd3448c7a435935f2ff0d2cdc609dda81dd4946b1c977d25134e96e
  68. 40c46bcab9acc0d6d235491c01a66d4c6f35d884c19c6f410901af6d1e33513b
  69. 4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be
  70. 4e39bc95e35323ab586d740725a1c8cbcde01fe453f7c4cac7cced9a26e42cc9
  71. 5001793790939009355ba841610412e0f8d60ef5461f2ea272ccf4fd4c83b823
  72. 5c81cf8262f9a8b0e100d2a220f7119e54edfc10c4fb906ab7848a015cd12d90
  73. 627dc5599c28de3c494496399b39f3aac7049586e72cbdb08bea01bf40166c23
  74. 7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7
  75. 7d38eb24cf5644e090e45d5efa923aff0e69a600fb0ab627e8929bb485243926
  76. 8098938987e2f29e3ee416b71b932651f6430d15d885f2e1056d41163ae57c13
  77. 8389b0d3fb28a5f525742ca2bf80a81cf264c806f99ef684052439d6856bc7e7
  78. 8d7be9ed64811ea7986d788a75cbc4ca166702c6ff68c33873270d7c6597f5db
  79. 9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f
  80. 9ddbe7e77cb5616025b92814d68adfc9c3e076dddbe29de6eb73701a172c3379
  81. a0d82c3730bc41e267711480c8009883d1412b68977ab175421eabc34e4ef355
  82. a0e3c52a2c99c39b70155a9115a6c74ea79f8a68111190faa45a8fd1e50f8880
  83. a6603f27c42648a857b8a1cbf301ed4f0877be75627f6bbe99c0bfd9dc4adb35
  84. a7493fac96345a989b1a03772444075754a2ef11daa22a7600466adc1f69a669
  85. a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe
  86. a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe
  87. b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047
  88. b755ed82c908d92043d4ec3723611c6c5a7c162e78ac8065eb77993447368fce
  89. c0cf8e008fbfa0cb2c61d968057b4a077d62f64d7320769982d28107db370513
  90. cca1850725f278587845cd19cbdf3dceb6f65790d11df950f17c5ff6beb18601
  91. df77132b5c192bd8d2d26b1ebb19853cf03b01d38afd5d382ce77e0d7219c18c
  92. e1ba03a10a40aab909b2ba58dcdfd378b4d264f1f4a554b669797bbb8c8ac902
  93. e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935
  94. ecd7de3387b64b7dab9a7fb52e8aa65cb7ec9193f8eac6a7d79407a6a932ef69
  95. f1d903251db466d35533c28e3c032b7212aa43c8d64ddf8c5521b43031e69e1e
  96. f89549fc84a8d0f8617841c6aa4bb1678ea2b6081c1f7f74ab1aebd4db4176e4
  97. fd92fd7d0f925ccc0b4cbb6b402e8b99b64fa6a4636d985d78e5507bd4cfecef
  98. fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129
  99.  
  100. Heavily encrypted - use Hash instead of a Yara rule to detect these samples:
  101. d42300fea6eddcb2f65ffec9e179e46d87d91affad55510279ecbb0250d7fdff
  102.  
  103. Known False Positives:
  104. 6e5ebbc8b70c1d593634daf0c190deadfda18c3cbc8f552a76f156f3869ef05b - Microsoft USB Scanner Driver
  105. 7565e7de9532c75b3a16e3ed0103bc092dbca63c6bdc19053dfef01250029e59 - NSRL listed
  106. a26db2eb9f3e2509b4eba949db97595cc32332d9321df68283bfc102e66d766f - Windows Serial Driver
  107. 18cd54d163c9c5f16e824d13c411e21fd7616d34e9f1cf2adcbf869ed6aeeed4 - CD Tower Web Client
  108. 0099940a366b401f30faaf820f4815083778383a2b1e9fab58e16d10b8965e3f - USB Scanner Driver
  109. b04a85ef2edbc5ac7b312e9d57b533d9d355d0c7cbbd24a8085c6873baf9411f - SCSI Driver Windows
  110. 581730d7cce49af90efad5f904ce205ee7123e6c0d206867fb8ad22559fa0556 - Windows Media Component Setup Application
  111. 519a0d7ebc75dcf65c80d61f952768e49c33c5c7c320a4cc4b4a12a0e9f3337d - SP1.CAB MSDN Disc 3498 (Microsoft)
  112. 54263888c64a7f010d3b5e399369b0f3ff3af0a0de8adb502b98277533e4d45f - Windows Serial Driver
  113.  
  114. Please check out this URL for the Kaspersky report with more specific Yara rules:
  115. https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf
  116. */
  117.  
  118. rule Regin_APT_KernelDriver_Generic_A {
  119.     meta:
  120.         description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
  121.         author = "@Malwrsignatures - included in APT Scanner THOR"
  122.         date = "23.11.14"
  123.         hash1 = "187044596bc1328efa0ed636d8aa4a5c"
  124.         hash2 = "06665b96e293b23acc80451abb413e50"
  125.         hash3 = "d240f06e98c8d3e647cbf4d442d79475"
  126.     strings:
  127.         $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
  128.         $m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
  129.        
  130.         $s0 = "atapi.sys" fullword wide
  131.         $s1 = "disk.sys" fullword wide
  132.         $s3 = "h.data" fullword ascii
  133.         $s4 = "\\system32" fullword ascii
  134.         $s5 = "\\SystemRoot" fullword ascii
  135.         $s6 = "system" fullword ascii
  136.         $s7 = "temp" fullword ascii
  137.         $s8 = "windows" fullword ascii
  138.  
  139.         $x1 = "LRich6" fullword ascii
  140.         $x2 = "KeServiceDescriptorTable" fullword ascii    
  141.     condition:
  142.         $m0 at 0 and $m1 and   
  143.         all of ($s*) and 1 of ($x*)
  144. }
  145.  
  146. rule Regin_APT_KernelDriver_Generic_B {
  147.     meta:
  148.         description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
  149.         author = "@Malwrsignatures - included in APT Scanner THOR"
  150.         date = "23.11.14"
  151.         hash1 = "ffb0b9b5b610191051a7bdf0806e1e47"
  152.         hash2 = "bfbe8c3ee78750c3a520480700e440f8"
  153.         hash3 = "b29ca4f22ae7b7b25f79c1d4a421139d"
  154.         hash4 = "06665b96e293b23acc80451abb413e50"
  155.         hash5 = "2c8b9d2885543d7ade3cae98225e263b"
  156.         hash6 = "4b6b86c7fec1c574706cecedf44abded"
  157.         hash7 = "187044596bc1328efa0ed636d8aa4a5c"
  158.         hash8 = "d240f06e98c8d3e647cbf4d442d79475"
  159.         hash9 = "6662c390b2bbbd291ec7987388fc75d7"
  160.         hash10 = "1c024e599ac055312a4ab75b3950040a"
  161.         hash11 = "ba7bb65634ce1e30c1e5415be3d1db1d"
  162.         hash12 = "b505d65721bb2453d5039a389113b566"
  163.         hash13 = "b269894f434657db2b15949641a67532"
  164.     strings:
  165.         $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
  166.         $s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
  167.         $s2 = "H.data" fullword ascii nocase
  168.         $s3 = "INIT" fullword ascii
  169.         $s4 = "ntoskrnl.exe" fullword ascii
  170.        
  171.         $v1 = "\\system32" fullword ascii
  172.         $v2 = "\\SystemRoot" fullword ascii
  173.         $v3 = "KeServiceDescriptorTable" fullword ascii
  174.        
  175.         $w1 = "\\system32" fullword ascii
  176.         $w2 = "\\SystemRoot" fullword ascii    
  177.         $w3 = "LRich6" fullword ascii
  178.        
  179.         $x1 = "_snprintf" fullword ascii
  180.         $x2 = "_except_handler3" fullword ascii
  181.        
  182.         $y1 = "mbstowcs" fullword ascii
  183.         $y2 = "wcstombs" fullword ascii
  184.         $y3 = "KeGetCurrentIrql" fullword ascii
  185.        
  186.         $z1 = "wcscpy" fullword ascii
  187.         $z2 = "ZwCreateFile" fullword ascii
  188.         $z3 = "ZwQueryInformationFile" fullword ascii
  189.         $z4 = "wcslen" fullword ascii
  190.         $z5 = "atoi" fullword ascii
  191.  
  192.         $fp1 = "\\\\.\\Usbscan" wide fullword
  193.     condition:
  194.         $m0 at 0 and all of ($s*) and
  195.         ( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) )
  196.         and filesize < 20KB
  197.         and not $fp1
  198. }
  199.  
  200. rule Regin_APT_KernelDriver_Generic_C {
  201.     meta:
  202.         description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
  203.         author = "@Malwrsignatures - included in APT Scanner THOR"
  204.         date = "23.11.14"
  205.         hash1 = "e0895336617e0b45b312383814ec6783556d7635"
  206.         hash2 = "732298fa025ed48179a3a2555b45be96f7079712"     
  207.     strings:
  208.         $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
  209.    
  210.         $s0 = "KeGetCurrentIrql" fullword ascii
  211.         $s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide
  212.         $s2 = "usbclass" fullword wide
  213.        
  214.         $x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii
  215.         $x2 = "Universal Serial Bus Class Driver" fullword wide
  216.         $x3 = "5.2.3790.0" fullword wide
  217.        
  218.         $y1 = "LSA Shell" fullword wide
  219.         $y2 = "0Richw" fullword ascii      
  220.     condition:
  221.         $m0 at 0 and all of ($s*) and
  222.         ( all of ($x*) or all of ($y*) )
  223.         and filesize < 20KB
  224. }
  225.  
  226. /* Update 27.11.14 */
  227.  
  228. rule Regin_sig_svcsstat {
  229.     meta:
  230.         description = "Detects svcstat from Regin report - file svcsstat.exe_sample"
  231.         author = "@MalwrSignatures"
  232.         date = "26.11.14"
  233.         hash = "5164edc1d54f10b7cb00a266a1b52c623ab005e2"
  234.     strings:
  235.         $s0 = "Service Control Manager" fullword ascii
  236.         $s1 = "_vsnwprintf" fullword ascii
  237.         $s2 = "Root Agency" fullword ascii
  238.         $s3 = "Root Agency0" fullword ascii
  239.         $s4 = "StartServiceCtrlDispatcherA" fullword ascii
  240.         $s5 = "\\\\?\\UNC" fullword wide
  241.         $s6 = "%ls%ls" fullword wide
  242.     condition:
  243.         all of them and filesize < 15KB and filesize > 10KB
  244. }
  245.  
  246. rule Regin_Sample_1 {
  247.     meta:
  248.         description = "Auto-generated rule - file-3665415_sys"
  249.         author = "Florian Roth"
  250.         date = "06.12.14"
  251.         hash = "773d7fab06807b5b1bc2d74fa80343e83593caf2"
  252.     strings:
  253.         $s0 = "Getting PortName/Identifier failed - %x" fullword ascii
  254.         $s1 = "SerialAddDevice - error creating new devobj [%#08lx]" fullword ascii
  255.         $s2 = "External Naming Failed - Status %x" fullword ascii
  256.         $s3 = "------- Same multiport - different interrupts" fullword ascii
  257.         $s4 = "%x occurred prior to the wait - starting the" fullword ascii
  258.         $s5 = "'user registry info - userPortIndex: %d" fullword ascii
  259.         $s6 = "Could not report legacy device - %x" fullword ascii
  260.         $s7 = "entering SerialGetPortInfo" fullword ascii
  261.         $s8 = "'user registry info - userPort: %x" fullword ascii
  262.         $s9 = "IoOpenDeviceRegistryKey failed - %x " fullword ascii
  263.         $s10 = "Kernel debugger is using port at address %X" fullword ascii
  264.         $s12 = "Release - freeing multi context" fullword ascii
  265.         $s13 = "Serial driver will not load port" fullword ascii
  266.         $s14 = "'user registry info - userAddressSpace: %d" fullword ascii
  267.         $s15 = "SerialAddDevice: Enumeration request, returning NO_MORE_ENTRIES" fullword ascii
  268.         $s20 = "'user registry info - userIndexed: %d" fullword ascii
  269.  
  270.         $fp1 = "Enter SerialBuildResourceList" ascii fullword
  271.     condition:
  272.         all of them and filesize < 110KB and filesize > 80KB and not $fp1
  273. }
  274.  
  275. rule Regin_Sample_2 {
  276.     meta:
  277.         description = "Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin"
  278.         author = "@MalwrSignatures"
  279.         date = "26.11.14"
  280.         hash = "a7b285d4b896b66fce0ebfcd15db53b3a74a0400"
  281.     strings:
  282.         $s0 = "\\SYSTEMROOT\\system32\\lsass.exe" fullword wide
  283.         $s1 = "atapi.sys" fullword wide
  284.         $s2 = "disk.sys" fullword wide
  285.         $s3 = "IoGetRelatedDeviceObject" fullword ascii
  286.         $s4 = "HAL.dll" fullword ascii
  287.         $s5 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services" fullword ascii
  288.         $s6 = "PsGetCurrentProcessId" fullword ascii
  289.         $s7 = "KeGetCurrentIrql" fullword ascii
  290.         $s8 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
  291.         $s9 = "KeSetImportanceDpc" fullword ascii
  292.         $s10 = "KeQueryPerformanceCounter" fullword ascii
  293.         $s14 = "KeInitializeEvent" fullword ascii
  294.         $s15 = "KeDelayExecutionThread" fullword ascii
  295.         $s16 = "KeInitializeTimerEx" fullword ascii
  296.         $s18 = "PsLookupProcessByProcessId" fullword ascii
  297.         $s19 = "ExReleaseFastMutexUnsafe" fullword ascii
  298.         $s20 = "ExAcquireFastMutexUnsafe" fullword ascii
  299.     condition:
  300.         all of them and filesize < 40KB and filesize > 30KB
  301. }
  302.  
  303. rule Regin_Sample_3 {
  304.     meta:
  305.         description = "Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
  306.         author = "@Malwrsignatures"
  307.         date = "27.11.14"
  308.         hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"      
  309.     strings:
  310.         $hd = { fe ba dc fe }
  311.    
  312.         $s0 = "Service Pack x" fullword wide
  313.         $s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
  314.         $s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide
  315.         $s3 = "mntoskrnl.exe" fullword wide
  316.         $s4 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" fullword wide
  317.         $s5 = "Memory location: 0x%p, size 0x%08x" wide fullword
  318.         $s6 = "Service Pack" fullword wide
  319.         $s7 = ".sys" fullword wide
  320.         $s8 = ".dll" fullword wide     
  321.        
  322.         $s10 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Updates" fullword wide
  323.         $s11 = "IoGetRelatedDeviceObject" fullword ascii
  324.         $s11 = "VMEM.sys" fullword ascii
  325.         $s12 = "RtlGetVersion" fullword wide
  326.         $s14 = "ntkrnlpa.exe" fullword ascii
  327.     condition:
  328.         ( $hd at 0 ) and all of ($s*) and filesize > 160KB and filesize < 200KB
  329. }
  330.  
  331. rule Regin_Sample_Set_1 {
  332.     meta:
  333.         description = "Auto-generated rule - file SHF-000052 and ndisips.sys"
  334.         author = "@MalwrSignatures"
  335.         date = "26.11.14"
  336.         hash = "8487a961c8244004c9276979bb4b0c14392fc3b8"
  337.         hash = "bcf3461d67b39a427c83f9e39b9833cfec977c61"      
  338.     strings:
  339.         $s0 = "HAL.dll" fullword ascii
  340.         $s1 = "IoGetDeviceObjectPointer" fullword ascii
  341.         $s2 = "MaximumPortsServiced" fullword wide
  342.         $s3 = "KeGetCurrentIrql" fullword ascii
  343.         $s4 = "ntkrnlpa.exe" fullword ascii
  344.         $s5 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
  345.         $s6 = "ConnectMultiplePorts" fullword wide
  346.         $s7 = "\\SYSTEMROOT" fullword wide
  347.         $s8 = "IoWriteErrorLogEntry" fullword ascii
  348.         $s9 = "KeQueryPerformanceCounter" fullword ascii
  349.         $s10 = "KeServiceDescriptorTable" fullword ascii
  350.         $s11 = "KeRemoveEntryDeviceQueue" fullword ascii
  351.         $s12 = "SeSinglePrivilegeCheck" fullword ascii
  352.         $s13 = "KeInitializeEvent" fullword ascii
  353.         $s14 = "IoBuildDeviceIoControlRequest" fullword ascii
  354.         $s15 = "KeRemoveDeviceQueue" fullword ascii
  355.         $s16 = "IofCompleteRequest" fullword ascii
  356.         $s17 = "KeInitializeSpinLock" fullword ascii
  357.         $s18 = "MmIsNonPagedSystemAddressValid" fullword ascii
  358.         $s19 = "IoCreateDevice" fullword ascii
  359.         $s20 = "KefReleaseSpinLockFromDpcLevel" fullword ascii
  360.     condition:
  361.         all of them and filesize < 40KB and filesize > 30KB
  362. }
  363.  
  364. rule Regin_Sample_Set_2 {
  365.     meta:
  366.         description = "Detects Regin Backdoor sample 4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be and e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
  367.         author = "@MalwrSignatures"
  368.         date = "27.11.14"
  369.         hash = "4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be"
  370.         hash = "e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
  371.     strings:
  372.         $hd = { fe ba dc fe }
  373.    
  374.         $s0 = "d%ls%ls" fullword wide
  375.         $s1 = "\\\\?\\UNC" fullword wide
  376.         $s2 = "Software\\Microsoft\\Windows\\CurrentVersion" fullword wide
  377.         $s3 = "\\\\?\\UNC\\" fullword wide
  378.         $s4 = "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide
  379.         $s5 = "System\\CurrentControlSet\\Services\\Tcpip\\Linkage" wide fullword
  380.         $s6 = "\\\\.\\Global\\%s" fullword wide
  381.         $s7 = "temp" fullword wide
  382.         $s8 = "\\\\.\\%s" fullword wide
  383.         $s9 = "Memory location: 0x%p, size 0x%08x" fullword wide       
  384.        
  385.         $s10 = "sscanf" fullword ascii
  386.         $s11 = "disp.dll" fullword ascii
  387.         $s11 = "%x:%x:%x:%x:%x:%x:%x:%x%c" fullword ascii
  388.         $s12 = "%d.%d.%d.%d%c" fullword ascii
  389.         $s13 = "imagehlp.dll" fullword ascii
  390.         $s14 = "%hd %d" fullword ascii
  391.     condition:
  392.         ( $hd at 0 ) and all of ($s*) and filesize < 450KB and filesize > 360KB
  393. }
RAW Paste Data