Common Information
| Type | Value |
|---|---|
| Value |
import "pe"
import "math"
import "hash"
rule BruteRatel_BadgerService_x86 {
meta:
description = "BruteRatel - badger_x86_service.exe"
sha256_1 = "ac99a80277cd93f35df6a962fb13fe807a28328433e5d1d8765a13e9bc9562cc"
sha256_2 = "385c2e83b1f84acd9418c6cfaed52adc943d5b768ebe8dc731a73adf7edaa3a4"
strings:
$s1 = "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether univer"
$s2 = " VirtualQuery failed for %d bytes at address %p" ascii fullword
$s3 = "%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p." ascii fullword
$s4 = "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether univer"
$s5 = " VirtualProtect failed with code 0x%x" ascii fullword
$s6 = "tion or microphone. It helps to transact records of your universal apps with the trust and privacy settings of user." ascii fullword
$s7 = "TransactionBrokerService" ascii fullword
$s8 = " Unknown pseudo relocation protocol version %d." ascii fullword
$s9 = "'tSAc?" ascii fullword
$s10 = "adME<2B" ascii fullword
$s11 = "EtWnPlR@*" ascii fullword
$s12 = "xA]%d$" ascii fullword
$s13 = "bTIlD:L" ascii fullword
$s14 = "eldi.#]" ascii fullword
$s15 = "wglk!@" ascii fullword
$s16 = "WLiF*q:" ascii fullword
$s17 = "YypyU`C" ascii fullword
$s18 = ")lXxY| 2" ascii fullword
$s19 = "ODVYo{# #" ascii fullword
$s20 = "qWTLG$i" ascii fullword
$s21 = "}%EP%VJ|D" ascii fullword
$s22 = "wOCo*.|j\\" ascii fullword
condition:
hash.sha256(0, filesize) == "ac99a80277cd93f35df6a962fb13fe807a28328433e5d1d8765a13e9bc9562cc" or hash.sha256(0, filesize) == "385c2e83b1f84acd9418c6cfaed52adc943d5b768ebe8dc731a73adf7edaa3a4" or math.entropy(0, filesize) >= 7 and pe.imports("kernel32.dll", "GetNativeSystemInfo") and pe.imports("kernel32.dll", "VirtualProtect") and pe.imports("advapi32.dll", "ChangeServiceConfig2A") and pe.imports("advapi32.dll", "ChangeServiceConfigA") and pe.imports("advapi32.dll", "StartServiceCtrlDispatcherA") and pe.characteristics & pe.EXECUTABLE_IMAGE and uint16(0) == 0x5a4d and filesize < 700KB and 8 of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |