mirror of
https://github.com/blackorbird/APT_REPORT.git
synced 2025-06-12 10:14:24 +00:00
100 lines
1.3 KiB
Plaintext
100 lines
1.3 KiB
Plaintext
rule TREKX_Backdoor
|
|
|
|
{
|
|
|
|
meta:
|
|
|
|
description = “X-Force IRIS TREKX Backdoor”
|
|
|
|
version = “1”
|
|
|
|
md5 = “01e4391421d56698bcaa1f3c05bd9818”
|
|
|
|
strings:
|
|
|
|
$ = “3.001.” wide ascii
|
|
|
|
$ = “2.TT.” wide ascii
|
|
|
|
$ = “4.PSPR.” wide ascii
|
|
|
|
$ = “4.RSPM.” wide ascii
|
|
|
|
$ = “TREK” wide ascii
|
|
|
|
$ = “TREC” wide ascii
|
|
|
|
$ = “TREX” wide ascii
|
|
|
|
$ = “*.tmp” wide ascii
|
|
|
|
$ = “SOFTWARE\\Microsoft\\DRM” wide ascii
|
|
|
|
$ = “srv.dat” wide ascii
|
|
|
|
$ = “<dt1>” wide ascii
|
|
|
|
$ = “File1” wide ascii
|
|
|
|
$ = “vf%03d” wide ascii
|
|
|
|
$ = “error 1!” wide ascii
|
|
|
|
$ = “{????????-????-????-????-????????????}” wide ascii
|
|
|
|
condition:
|
|
|
|
(uint16(0) == 0x5a4d) and (5 of them)
|
|
|
|
}
|
|
|
|
rule TREKX_Backdoor_Config
|
|
|
|
{
|
|
|
|
meta:
|
|
|
|
description = “X-Force IRIS TREKX Backdoor Configuration”
|
|
|
|
version = “1”
|
|
|
|
md5 = “ede89b446d8703dd13d26168e8d58865”
|
|
|
|
md5 = “7c08601341888b413779a3b33d8bf6dc”
|
|
|
|
condition:
|
|
|
|
// These are all the checks performed by the TREKX backdoor
|
|
|
|
// (md5:01e4391421d56698bcaa1f3c05bd9818) when
|
|
|
|
// checking the validity of the configuration file
|
|
|
|
(
|
|
|
|
(uint32(0) == 0x00AE2A6D)
|
|
|
|
or
|
|
|
|
(uint32(0) == 0x031B9D63)
|
|
|
|
)
|
|
|
|
and
|
|
|
|
(
|
|
|
|
filesize >= 230
|
|
|
|
)
|
|
|
|
and
|
|
|
|
(
|
|
|
|
uint16(filesize-2) == 0x0054
|
|
|
|
)
|
|
|
|
}
|