rule crypt_constants_2 { meta: Author="NCCIC trusted 3rd party" I

1. rule crypt_constants_2
2. {
3. meta:
4. Author="NCCIC trusted 3rd party"
5. Incident="10135536"
6. Date = "2018/04/19"
7. category = "hidden_cobra"
8. family = "n/a"
9. description = "n/a"
10.  
11. strings:
12. $ = {efcdab90}
13. $ = {558426fe}
14. $ = {7856b4c2}
15.  
16. condition:
17. (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
18.  
19. }
20.  
21. rule lsfr_constants
22. {
23. meta:
24. Author="NCCIC trusted 3rd party"
25. Incident="10135536"
26. Date = "2018/04/19"
27. category = "hidden_cobra"
28. family = "n/a"
29. description = "n/a"
30.  
31. strings:
32. $ = {efcdab90}
33. $ = {558426fe}
34. $ = {7856b4c2}
35.  
36. condition:
37. (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
38.  
39. }
40. rule polarSSL_servernames
41. {
42. meta:
43. Author="NCCIC trusted 3rd party"
44. Incident="10135536"
45. Date = "2018/04/19"
46. category = "hidden_cobra"
47. family = "n/a"
48. description = "n/a"
49.  
50. strings:
51. $polarSSL = "fjiejffndxklfsdkfjsaadiepwn"
52. $sn1 = "www.google.com"
53. $sn2 = "www.naver.com"
54.  
55. condition:
56. (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) -- 0x4550) and ($polarSSL and 1 of ($sn*))
57.  
58. }