Common Information
| Type | Value |
|---|---|
| Value |
import "hash"
rule PoshC2_DotNet2JS {
meta:
description = "PoshC2 - DotNet2JS.js"
sha256 = "1193794ebfc3f9ae58e6bb443ecd783274285396c8b23533683e10da0c9d5c53"
strings:
$s1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$s2 = "AAAAAAAAAAAAAAAAAAAAAAAAA"
$s3 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$s4 = "AAAAAAAAAAAAAEAAAE"
$s5 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$s6 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAB"
$s7 = "AAAAAAAAAAAAAAAAAAAAAAAAB"
$s8 = "AAAAAAAAAAD"
$s9 = "AAAAAAAAAEA"
$s10 = "AAAAAAAAAAAAAAAAAAAAAAAAAAABD"
$s11 = "AADAAAABAAAA"
$s12 = "AAAAAAAAAAAAAAAAAAAAAcC0AAAAAAAB"
$s13 = "ADAAAAA4AA"
$s14 = "AAAAAAAAAAAAAE4A"
$s15 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAA"
$s16 = "AABAACAAAEAA"
$s17 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAA"
$s18 = "function dbg(s) {WScript.Echo(s);}" ascii fullword
$s19 = "var ba = enc.GetBytes_4(b);" ascii fullword
$s20 = "var length = enc.GetByteCount_2(b);" ascii fullword
condition:
hash.sha256(0, filesize) == "1193794ebfc3f9ae58e6bb443ecd783274285396c8b23533683e10da0c9d5c53" or uint16(0) == 0x6176 and filesize < 30KB and 8 of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |