Common Information
| Type | Value |
|---|---|
| Value |
rule PoS_Malware_fastpos2 : FastPOS2 {
meta:
author = "Trend Micro, Inc"
date = "2016-09-21"
description = "Used to detect newer FastPOS variants and their modules."
sample_filetype = "exe"
strings:
$pdb0 = "\\_hookLoader\\Release\\_hookLoader.pdb" nocase
$pdb1 = "\\_hookKlg\\Release\\_hookKlg.pdb" nocase
$pdb2 = "\\_hookKlg\\x64\\Release\\_hookKlg.pdb" nocase
$pdb3 = "\\_hookProc\\Release\\_hookProc.pdb" nocase
$pdb4 = "\\_hookProc\\x64\\Release\\_hookProc.pdb" nocase
$pdb5 = "\\_hookRecvSrvc\\Release\\_hookRecvSrvc.pdb" nocase
$exec_ref0 = "\\kl32.exe"
$exec_ref1 = "\\servhelp.exe"
$exec_ref2 = "\\kbd.exe"
$exec_ref3 = "\\servproc.exe"
$exec_ref4 = "\\service.exe"
$exec_ref5 = "\\proc64.exe"
$exec_ref6 = "\\proc32.exe"
$exec_ref7 = "//cdosys.php"
$string0 = "DeleteService"
$string1 = "CreateMailslotA"
$string2 = "StartServiceCtrlDispatcherA"
$string3 = "\\\\.\\mailslot\\trackslot"
$string4 = "Can't install hook service"
$string5 = " -r to remove hook." wide
condition:
(any of ($pdb*)) and (3 of ($exec_ref*)) and (2 of ($string*))
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |