rule SpicyHotPot_wdlogin {
	meta:
		description = "SpicyHotPot - wdlogin.exe: Used to identify memory dump uploading component"
		author = "jai-minton"
		reference = "https://www.crowdstrike.com/blog/author/jai-minton/"
		copyright = "(c) 2020 CrowdStrike Inc."
		date = "2020-11-01"
		hash1 = "7c0fdee3670cc53a22844d691307570a21ae3be3ce4b66e46bb6d9baad1774b8"
	strings:
		$x1 = "D:\\Work\\Install_Driver\\Driver_helper\\Release\\wdlogin.pdb" ascii fullword
		$x2 = "kmdf_protect.sys" ascii fullword
		$x3 = "kmdf_look.sys" ascii fullword
		$x4 = "/api/v1/post_dump" ascii fullword
		$s1 = "Negotiate: noauthpersist -> %d, header part: %s" ascii fullword
		$s2 = "https://db.testyk.com" ascii fullword
		$s3 = "https://da.testiu.com" ascii fullword
		$s4 = "https://du.testjj.com" ascii fullword
		$s5 = "schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names" ascii fullword
		$s6 = "No more connections allowed to host %s: %zu" ascii fullword
		$s7 = "RESOLVE %s:%d is - old addresses discarded!" ascii fullword
		$s8 = "Content-Disposition: %s%s%s%s%s%s%s" ascii fullword
		$s9 = "dumping" wide fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 2000KB and 1 of ($x*) and 3 of ($s*)
}