rule SpicyHotPot_wccenter {
	meta:
		description = "SpicyHotPot - wccenter.exe: Used to identify malware that communicates with the rootkit component"
		author = "jai-minton"
		reference = "https://www.crowdstrike.com/blog/author/jai-minton/"
		copyright = "(c) 2020 CrowdStrike Inc."
		date = "2020-11-01"
		hash1 = "17095beda4afeabb7f41ff07cf866ddc42e49da1a4ed64b9c279072caab354f6"
	strings:
		$x1 = "D:\\Work\\Install_Driver\\Driver_helper\\Release\\wccenter.pdb" ascii fullword
		$x2 = "wdlogin.exe" wide fullword
		$x3 = "wuhost.exe" wide fullword
		$x4 = "wrme.exe" wide fullword
		$s1 = "AppPolicyGetProcessTerminationMethod" ascii fullword
		$s2 = " Type Descriptor'" ascii fullword
		$s3 = "&Beijing JoinHope Image Technology Ltd.1/0-" ascii fullword
		$s4 = "operator co_await" ascii fullword
		$s5 = "&Beijing JoinHope Image Technology Ltd.0" ascii fullword
		$s6 = "RvVersion" wide fullword
		$s7 = " Class Hierarchy Descriptor'" ascii fullword
		$s8 = "Base Class Descriptor"
		$s9 = "Beijing1" ascii fullword
		$s10 = " Complete Object Locator'" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 400KB and 2 of ($x*) and 4 of ($s*)
}