mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-06 10:05:18 +00:00
17 lines
536 B
Plaintext
17 lines
536 B
Plaintext
|
|
rule Duqu1_5_modules {
|
|
meta:
|
|
author = "Silas Cutler (havex@chronicle.security)"
|
|
desc = "Detection for Duqu 1.5 modules"
|
|
hash = "bb3961e2b473c22c3d5939adeb86819eb846ccd07f5736abb5e897918580aace"
|
|
reference = "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0"
|
|
strings:
|
|
$c1 = "%s(%d)disk(%d)fdisk(%d)"
|
|
$c2 = "\\Device\\Floppy%d" wide
|
|
$c3 = "BrokenAudio" wide
|
|
$m1 = { 81 3F E9 18 4B 7E}
|
|
$m2 = { 81 BC 18 F8 04 00 00 B3 20 EA B4 }
|
|
condition:
|
|
all of them
|
|
}
|