JohnGalt14

Malware_Campaign_Jan14

Jan 15th, 2014
361
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. rule Malware_Cridex_Generic {
  2. meta:
  3.     description = "Rule matching Cridex-C Malware distributed in a German Campaign, January 2014 (Vodafone, Telekom, Volksbank bills)"
  4.     author = "F. Roth"
  5.     date = "2014-01-15"
  6.     reference = "https://www.virustotal.com/en/file/519120e4ff6524353247dbac3f66e6ddad711d384e317923a5bb66c16601743e/analysis/"
  7.     hash = "86d3e008b8f5983c374a4859739f7de4"
  8. strings:
  9.     $c1 = "NEWDEV.dll" fullword
  10.     $b2a = "COMUID.dll" fullword
  11.     $b2b = "INSENG.dll" fullword
  12. condition:
  13.     $c1 and 1 of ($b*)
  14. }
  15. rule Malware_Cridex_Generic {
  16. meta:
  17.     description = "Cridex Generic"
  18.     author = "Yara Bulk Rule Generator"
  19.     hash = "ab0e2cbca1434ab87e8cb81f97180292"
  20. strings:
  21.     $s1 = /[Cc]:\\([a-zA-Z]{4,10}\\|)([a-zA-Z]{4,10}\\|)([a-zA-Z]{4,10}\\|)[a-zA-Z]{4,10}\\[a-zA-Z]{4,10}/ fullword
  22.     $s2 = /[Cc]:\\([a-zA-Z]{4,10}\\|)([a-zA-Z]{4,10}\\|)([a-zA-Z]{4,10}\\|)[a-zA-Z]{4,10}\\[a-zA-Z]{4,10}.[a-z]{3}/ fullword
  23.     $s3 = /[Cc]:\\[a-zA-Z]{4,10}\\[a-zA-Z]{4,10}/ fullword
  24. condition:
  25.     ( #s1 > 4 and #s1 < 8 ) and ( #s2 > 1 and #s2 < 5 ) and ( #s3 > 4 and #s3 < 8 ) and filesize < 200KB
  26. }
RAW Paste Data