Common Information
| Type | Value |
|---|---|
| Value |
rule M_Launcher_FONELAUNCH_2 {
meta:
author = "Mandiant"
description = "Hunting rule looking for FONELAUNCH.DIALTONE samples."
md5 = "aef6d31b3249218d24a7f3682a00aa10"
strings:
$ilasmx86_sequence_fprototype_a = { 1F 30 20 1B 00 10 00 28 }
$ilasmx86_sequence_fprototype_b = { 26 11 ?? 11 ?? 07 6A 20 ?? 30 00 00 1F 40 28 }
$ilasmx86_sequence_encoding_a = { 0A 06 02 7D [3] 04 00 16 06 }
$ilasmx86_sequence_encoding_b = { 72 [3] 70 72 [3] 70 6F ?? 00 00 0A }
condition:
uint16(0) == 0x5A4D and all of ($ilasmx86_sequence_fprototype_*) and ($ilasmx86_sequence_encoding_a and #ilasmx86_sequence_encoding_b >= 16)
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |