Common Information
| Type | Value |
|---|---|
| Value |
import "pe"
rule dragos_crashoverride_name_search {
meta:
description = "CRASHOVERRIDE v1 Suspicious Strings and Export"
author = "Dragos Inc"
strings:
$s0 = "101.dll" wide nocase fullword
$s1 = "Crash101.dll" wide nocase fullword
$s2 = "104.dll" wide nocase fullword
$s3 = "Crash104.dll" wide nocase fullword
$s4 = "61850.dll" wide nocase fullword
$s5 = "Crash61850.dll" wide nocase fullword
$s6 = "OPCClientDemo.dll" wide nocase fullword
$s7 = "OPC" wide nocase fullword
$s8 = "CrashOPCClientDemo.dll" wide nocase fullword
$s9 = "D2MultiCommService.exe" wide nocase fullword
$s10 = "CrashD2MultiCommService.exe" wide nocase fullword
$s11 = "61850.exe" wide nocase fullword
$s12 = "OPC.exe" wide nocase fullword
$s13 = "haslo.exe" wide nocase fullword
$s14 = "haslo.dat" wide nocase fullword
condition:
any of ($s*) and pe.exports("Crash")
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |