rule DevilBait_C2 {
	meta:
		author = "NCSC"
		description = "C2 and IoC strings found in Devil Bait second 
stage vbscript."
	strings:
		$file_1 = "sr011.xml"
		$must_func = "Roller"
		$must_C2 = ".co.kr"
		$c2_1 = "cross.php"
		$c2_2 = "report.php"
		$c2_3 = "list.php"
		$c2_4 = "show.php"
	condition:
		$file_1 and any of ($must_*) and any of ($c2_*)
}