hy

[asharbinkhalil]

rule is_exe { meta: description = "Identifies if the file is an executable" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 }

rule is_dll { meta: description = "Identifies if the file is a dynamic link library" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and uint32(uint32(0x78)) == 0x00000000 }

rule is_driver { meta: description = "Identifies if the file is a Windows driver" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and uint32(uint32(0x84)) == 0x00010000 }

rule process_injection { meta: description = "Identifies if the malware is using process injection techniques" strings: $a = "CreateRemoteThread" $b = "VirtualAllocEx" $c = "WriteProcessMemory" condition: any of them } rule suspicious_backdoor { meta: description = "Detects suspicious backdoor malware with keylogger functionality" strings: $s1 = "keylog.dat" $s2 = "svchost.exe" $s3 = "screenshot.dat" $s4 = "remote cmd" $s5 = "cmd.dll" $s6 = "crypt.dll" $s7 = "dllhost.exe" $s8 = "winlogon.exe" $s9 = "explorer.exe" condition: any of ($s*) }

rule suspicious_api_calls { meta: description = "Detects malware based on suspicious API calls" strings: $s1 = "VirtualAllocEx" $s2 = "CreateRemoteThread" $s3 = "WriteProcessMemory" condition: any of ($s*) }

rule suspicious_memory_allocation { meta: description = "Detects malware based on suspicious memory allocation" strings: $s1 = {56 57 8B 7C 24 08 8B 47 0C 8B 4F 10 8B 57 14 8B 4F 18 8B 4F 1C 8B 17 8B 5F 20 8B 4F 24 8B 2C 8F} $s2 = {68 ?? ?? ?? ?? 6A 01 50 FF 15} condition: any of ($s*) }

rule suspicious_file_behavior { meta: description = "Detects malware based on suspicious file behavior" strings: $s1 = "CreateFile" $s2 = "WriteFile" $s3 = "DeleteFile" condition: any of ($s*) }

rule suspicious_network_activity { meta: description = "Detects malware based on suspicious network activity" strings: $s1 = "InternetOpen" $s2 = "InternetConnect" $s3 = "HttpSendRequest" condition: any of ($s) } rule suspicious_code_execution { meta: description = "Detects malware based on suspicious code execution" strings: $s1 = {E8 ?? ?? ?? ?? 83 C4 08 89 06 B8} $s2 = {E8 ?? ?? ?? ?? 8B F8 83 C4 04 89 3E 8D 46 04} $s3 = {E8 ?? ?? ?? ?? 83 C4 04 85 C0 74 ?? 33 C0} condition: any of ($s) }

rule suspicious_packers { meta: description = "Detects malware based on suspicious packers" strings: $s1 = "UPX" $s2 = "ASPack" $s3 = "PECompact" condition: any of ($s*) }

rule suspicious_file_formats { meta: description = "Detects malware based on suspicious file formats" strings: $s1 = "MZ" $s2 = "PE" $s3 = "ELF" condition: all of ($s*) }

rule suspicious_cryptography { meta: description = "Detects malware based on suspicious cryptography functions" strings: $s1 = {68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 04 85 C0 74 ?? 8D 43 04} $s2 = {E8 ?? ?? ?? ?? 83 C4 08 89 06 B8 ?? ?? ?? ?? C2} $s3 = {E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? 8D 46 04} condition: any of ($s*) }

[asharbinkhalil]

close