rule SpicyHotPot_KMDF_LOOK {
	meta:
		description = "SpicyHotPot - KMDF_LOOK.sys: Used to identify browser hijacking component"
		author = "jai-minton"
		reference = "https://www.crowdstrike.com/blog/author/jai-minton/"
		copyright = "(c) 2020 CrowdStrike Inc."
		date = "2020-11-01"
		hash1 = "39764e887fd0b461d86c1be96018a4c2a670b1de90d05f86ed0acb357a683318"
	strings:
		$x1 = "G:\\SVN\\"
		$s1 = "TSWebDownLoadProtect.dll" wide fullword
		$s2 = "ShellIco.dll" wide fullword
		$s3 = "QMLogEx.dll" wide fullword
		$s4 = "SSOCommon.dll" wide fullword
		$s5 = "TsService.exe" ascii fullword
		$s6 = "Hookport.sys" wide fullword
		$s7 = "SafeWrapper32.dll" wide fullword
		$s8 = "safemon.dll" wide fullword
		$s9 = "iNetSafe.dll" wide fullword
		$s10 = "ieplus.dll" wide fullword
		$s11 = "wdui2.dll" wide fullword
		$s12 = "ExtBhoIEToSe.dll" wide fullword
		$s13 = "360NetBase.dll" wide fullword
		$s14 = "urlproc.dll" wide fullword
		$s15 = "360sdbho.dll" wide fullword
		$s16 = "360base.dll" wide fullword
		$s17 = "360UDiskGuard.dll" wide fullword
		$s18 = "TSClinicWebFix.dll" wide fullword
		$s19 = "QMEmKit.dll" wide fullword
		$s20 = "WdHPFileSafe.dll" wide fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 1000KB and 8 of them
}