Create apt28_backdoor_cls.yar

2019-08-30 10:52:28 +08:00
parent 2a75936f5d
commit 90144df854
1 changed files with 17 additions and 0 deletions
--- a/APT28/yara/apt28_backdoor_cls.yar
+++ b/APT28/yara/apt28_backdoor_cls.yar
@@ -0,0 +1,17 @@
+rule apt28_backdoor_cls
+{
+            strings:
+            $st1 = "AES_256_poco" ascii
+                       $st2 = "TEncryption" ascii
+                       $st3 = "shell" ascii
+            condition:
+                       all of them
+}
+
+rule apt28_backdoor_crc32
+{
+               strings:
+                              $xor1 = { 48 8B 07 39 48 0C 75 3A 44 8B 70 08 4C 8B 38 4D 85 C0 74 2E 45 85 E4 74 29 }                                      
+               condition:
+               $xor1
+}