Win32/Spy.Shiz.NCP (Shifu)

rule Shifu
{
    meta:
      author = "[email protected]"
      description = "Search for hex and strings pattern on Win32/Spy.Shiz.NCP (Shifu)"
      // May only the challenge guide you...

    strings:
      $a1 = {C7 06 3C 00 00 00 C7 46 0C ?? ?? ?? ?? 89 5E 10 89 46 14 C7 46 04 40 00 00 00 EB 1C}
      $a2 = {85 C0 75 3A 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 85 C0}
      $a3 = {8A 1C 0E 32 5D 0C 88 19 41 4A 75 F4}

      $b1 = "cmd.exe" wide ascii
      $b2 = "runas" wide ascii
      $b3 = "exe"
    condition:
        all of ($a*) and 2 of ($b*)
}