Common Information
| Type | Value |
|---|---|
| Value |
rule rovnix_downloader {
meta:
author = "McAfee"
description = "Rovnix downloader with sinkhole checks"
strings:
$sink1 = "control"
$sink2 = "sink"
$sink3 = "hole"
$sink4 = "dynadot"
$sink5 = "block"
$sink6 = "malw"
$sink7 = "anti"
$sink8 = "googl"
$sink9 = "hack"
$sink10 = "trojan"
$sink11 = "abuse"
$sink12 = "virus"
$sink13 = "black"
$sink14 = "spam"
$boot = "BOOTKIT_DLL.dll"
$mz = { 4D 5A }
condition:
$mz in (0 .. 2) and all of ($sink*) and $boot
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |