Common Information
| Type | Value |
|---|---|
| Value |
rule M_OBFUSLAY_UNC1860_1 {
meta:
desc = "Detects the UNC1860 OBFUSLAY malware by its
string decryption method"
rs1 = "b66919a18322aa4ce2ad47d149b7fe38063cd3cfa2
e4062cd1a01ad6b3e47651"
strings:
$a1 = { FE 09 00 00 6F ?? 00 00 0A FE 0E 00 00 FE 0C 00 00 20 02 00 00 00 5B 8D ?? 00 00 01 FE 0E 01 00 20 00 00 00 00 FE 0E 04 00 38 39 00 00 00 FE 0C 01 00 FE 0C 04 00 20 02 00 00 00 5B FE 09 00 00 FE 0C 04 00 20 02 00 00 00 6F ?? 00 00 0A 20 10 00 00 00 28 ?? 00 00 0A 9C FE 0C 04 00 20 02 00 00 00 58 FE 0E 04 00 FE 0C 04 00 FE 0C 00 00 3F BA FF FF FF FE 0C 01 00 }
condition:
uint16(0) == 0x5A4D and all of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |