YARA rule svchosts

2024-11-06 18:15:20 +00:00 · 2018-12-22 09:12:34 +01:00 · 2018-12-22 09:12:34 +01:00 · cf85a7cd31
commit cf85a7cd31
parent 4f666da806
1 changed files with 15 additions and 0 deletions
--- a/yara/gen_suspicious_strings.yar
+++ b/yara/gen_suspicious_strings.yar
@ -213,3 +213,18 @@ rule SUSP_Win32dll_String {
   condition:
      filesize < 60KB and all of them
 }
+
+rule SUSP_Modified_SystemExeFileName_in_File {
+   meta:
+      description = "Detecst a variant of a system file name often used by attackers to cloak their activity"
+      author = "Florian Roth"
+      reference = "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
+      date = "2018-12-11"
+      score = 65
+      hash1 = "5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a"
+      hash2 = "f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e"
+   strings:
+      $s1 = "svchosts.exe" fullword wide
+   condition:
+      uint16(0) == 0x5a4d and filesize < 200KB and 1 of them
+}