NewDDOSBot

1. rule NewDDOSBot_bin
2. {
3. meta:
4. description = "NewDDOSBot"
5. author = " James_inthe_box"
6. reference = "https://app.any.run/tasks/209085da-a3b3-4317-923a-90a4a2e82414"
7. date = "2019/01"
8. maltype = "Bot"
9.  
10. strings:
11. $mz = { 4d 5a }
12. $string1 = "PlatformID"
13. $string2 = "NewDDOSBot"
14. $string3 = "Make.My"
15. $string4 = "My.Settings"
16. $string5 = "WebBrowser"
17.  
18. condition:
19. ($mz at 0) and (all of ($string*))
20. }
21.  
22. rule NewDDOSBot_mem
23. {
24. meta:
25. description = "NewDDOSBot"
26. author = " James_inthe_box"
27. reference = "https://app.any.run/tasks/209085da-a3b3-4317-923a-90a4a2e82414"
28. date = "2018/12"
29. maltype = "Bot"
30.  
31. strings:
32. $string1 = "t_type" wide
33. $string2 = "knock_t" wide
34. $string3 = "NaID" wide
35. $string4 = "stop_t" wide
36.  
37. condition:
38. all of ($string*)
39. }
40.  
41. hashes:
42. efdd39a444a372d5d14bb208f128fb65
43. 78d164f8cc8430d730e849876d4e51e3
44.  
45. c2's:
46. http://banana999.com/php/gate.php
47. http://apple322.com/php/gate.php
48.  
49. artifacts:
50. 1DA44AE17841369322DA459936B0E6CE::::2.15::::Microsoft Windows 7 Professional ::::0::::0
51. {"t_type":"KNOCK","knock_t":"200"}::::CHK::::{"t_type":"STOP","NaID":"11757846464e8"}::::{"t_type":"STOP","NaID":"ff78964b321e5"}::::{"t_type":"STOP","NaID":"735d134476951"}::::{"t_type":"STOP","NaID":"6ed718961bff6"}::::{"t_type":"STOP","NaID":"d65d00d677cd8"}