rule M_Code_LIGHTSHOW {
	meta:
		author = "Mandiant"
		description = "Hunting rule For LIGHTSHOW."
		md5 = "ee5057da3e38b934dae15644c6eb24507fb5a187630c75725075b24a70065452"
	strings:
		$E01 = { 46 75 64 4D 6F 64 75 6C 65 2E 64 6C 6C }
		$I01 = { 62 63 72 79 70 74 2E 64 6C 6C }
		$I02 = { 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C }
		$I03 = { 75 73 65 72 33 32 2E 64 6C 6C 00 }
		$H1 = { 4D 5A 90 00 }
		$H2 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
		$F01 = { 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 57 }
		$F02 = { 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 }
		$F03 = { 47 65 74 46 69 6C 65 54 79 70 65 }
		$F04 = { 47 65 74 56 65 72 73 69 6F 6E }
		$F05 = { 51 75 65 72 79 53 65 72 76 69 63 65 53 74 61 74 75 73 }
		$F06 = { 42 43 72 79 70 74 4F 70 65 6E 41 6C 67 6F 72 69 74 68 6D 50 72 6F 76 69 64 65 72 }
		$M01 = { 68 2D 79 6E B1 }
		$M02 = { 68 EA 71 C2 55 }
		$M03 = { 66 B8 AD EB }
		$M04 = { 4C 8D 2C 6D B3 6C 05 39 }
		$M05 = { 48 8D 2C 95 08 9D EC 9A }
		$S01 = { 48 8D 0C F5 A3 CD 0A EB }
		$S02 = { 81 F9 7F 56 E6 0A }
	condition:
		($H1 in (0 .. 2048)) and ($H2 in (0 .. 2048)) and filesize < 100MB and filesize > 5KB and all of ($M0*) and all of ($E*) and all of ($I0*) and 6 of ($F0*) and all of ($S0*)
}