Common Information
| Type | Value |
|---|---|
| Value |
rule M_APT_Backdoor_Win_SIDESHOW_1 {
meta:
author = "Mandiant"
description = "Detects string deobfuscation function in SIDESHOW, may also detect other variants of malware from the same actor"
strings:
$code1 = { 41 0F B6 ?? 33 ?? 48 ?? ?? 0F 1F 80 00 00 00 00 3A ?? 74 ?? FF ?? 48 FF ?? 83 ?? 48 72 ?? EB ?? 41 0F ?? ?? 2B ?? ?? 39 8E E3 38 83 ?? 48 F7 ?? C1 ?? 04 8D ?? ?? C1 ?? 03 2B ?? ?? 39 8E E3 38 }
condition:
uint16(0) == 0x5a4d and (all of them)
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |