2017-10-11 16:43:19 +00:00
|
|
|
import "pe"
|
2017-10-07 22:13:52 +00:00
|
|
|
|
|
|
|
|
rule CorkowDLL {
|
|
|
|
|
meta:
|
|
|
|
|
description = "Rule to detect the Corkow DLL files"
|
|
|
|
|
author = "Group IB"
|
2019-07-21 10:04:41 +00:00
|
|
|
date = "01.02.2016"
|
2017-10-07 22:13:52 +00:00
|
|
|
referenced = "https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf"
|
|
|
|
|
strings:
|
|
|
|
|
$binary1 = { 60 [0-8] 9C [0-8] BB ?? ?? ?? ?? [0-8] 81 EB ?? ?? ?? ?? [0-8] E8 ?? 00 00 00 [0-8] 58 [0-8] 2B C3 }
|
|
|
|
|
$binary2 = { (FF 75 ?? | 53) FF 75 10 FF 75 0C FF 75 08 E8 ?? ?? ?? ?? [3-9] C9 C2 0C 00 }
|
|
|
|
|
condition:
|
|
|
|
|
uint16(0) == 0x5a4d and (
|
|
|
|
|
all of ($binary*) and (
|
|
|
|
|
pe.exports("Control_RunDLL") or
|
|
|
|
|
pe.exports("ServiceMain") or
|
|
|
|
|
pe.exports("DllGetClassObject")
|
|
|
|
|
) or (
|
|
|
|
|
pe.exports("ServiceMain") and /* Service DLL */
|
|
|
|
|
pe.exports("Control_RunDLL") /* Sufficiently specific in this combination */
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
}
|
