Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- dll rules optimized by @cyb3rops
- rule Teamspy_bin
- {
- meta:
- description = "Teamspy"
- author = "James_inthe_box"
- reference = "b4c344d31e48903f200988bb10bf5fe838fb2b089a54b6c1c3004a80e037e1d0"
- date = "2019/03"
- maltype = "Backdoor"
- strings:
- $string1 = "\\Google\\Update\\GoogleUpdate.exe" wide
- $string2 = "Value_%d"
- $string3 = "Software\\localNETService"
- $string4 = "test"
- $string5 = "/chk" wide
- $string6 = ".dat"
- $string7 = "IgnoreNew"
- condition:
- uint16(0) == 0x5A4D and all of ($string*) and filesize < 500KB
- }
- rule Teamspy_mem
- {
- meta:
- description = "Teamspy"
- author = "James_inthe_box"
- reference = "b4c344d31e48903f200988bb10bf5fe838fb2b089a54b6c1c3004a80e037e1d0"
- date = "2019/03"
- maltype = "Backdoor"
- strings:
- $string1 = "\\Google\\Update\\GoogleUpdate.exe" wide
- $string2 = "Value_%d"
- $string3 = "Software\\localNETService"
- $string4 = "test"
- $string5 = "/chk" wide
- $string6 = ".dat"
- $string7 = "IgnoreNew"
- condition:
- all of ($string*) and filesize > 500KB
- }
- rule Teamspy_dll_bin
- {
- meta:
- description = "Teamspy extracted dll"
- author = "James_inthe_box"
- reference = "b4c344d31e48903f200988bb10bf5fe838fb2b089a54b6c1c3004a80e037e1d0"
- date = "2019/03"
- maltype = "Backdoor"
- strings:
- $string1 = "client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d"
- condition:
- uint16(0) == 0x5A4D and all of ($string*) and filesize < 500KB
- }
- rule Teamspy_dll_mem
- {
- meta:
- description = "Teamspy extracted dll"
- author = "James_inthe_box"
- reference = "b4c344d31e48903f200988bb10bf5fe838fb2b089a54b6c1c3004a80e037e1d0"
- date = "2019/03"
- maltype = "Backdoor"
- strings:
- $string1 = "client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d"
- condition:
- all of ($string*) and filesize > 500KB
- }
Advertisement
Add Comment
Please, Sign In to add comment
