rule CISA_3P_10327841_02 : SOLARFLARE trojan {
	meta:
		Author = "CISA Trusted Third Party"
		Incident = "10327841.r1.v1"
		Date = "2021-03-04"
		Actor = "n/a"
		Category = "Trojan"
		Family = "SOLARFLARE"
		Description = "Detects strings in WindowsDSVC_exe samples"
		MD5_1 = "4de28110bfb88fdcdf4a0133e118d998"
		SHA256_1 = "fa1959dd382ce868c975599c6c3cc536aa0073be44fc8a6571a20fb0c8bea836"
	strings:
		$Go_Lang = "Go build ID:"
		$main_func = "main.main"
		$main_encrypt = "main.encrypt"
		$main_MD5 = "main.GetMD5Hash"
		$main_beacon = "main.beaconing"
		$main_command = "main.resolve_command"
		$main_key1 = "main.request_session_key"
		$main_key2 = "main.retrieve_session_key"
		$main_clean = "main.clean_file"
		$main_wget = "main.wget_file"
	condition:
		(uint16(0) == 0x5A4D) and all of them
}