Show in Graph
Common Information
Type Value
Value 
rule encodedHandshakeStrings {
	meta:
		author = "CISA trusted 3rd party"
		incident = "10271944.r3.v1"
		date = "2019-12-25"
		category = "Hidden_Cobra"
		family = "BUFFETLINE"
	strings:
		$e1 = { DD 91 4A 1D CB 93 52 0A D0 CB 0A 4C CA D5 08 4B CA 92 4B 1D DE 92 4B 1E D2 8B 5C 14 DE 92 5C }
		$e2 = { 81 8C 4D 1D D1 8A 52 1D D7 8A 4C 0D 8B C8 01 4C CD 9C 5E 0B DC 97 5E 12 95 CB 4A 48 CF 9C 53 }
	condition:
		(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2020-02-14 21 MAR-10271944-3.v1 – North Korean Trojan: BUFFETLINE | CISA