rule SpicyHotPot__J861 {
	meta:
		description = "SpicyHotPot - _J861.exe: Used to identify system fingerprinting, enumeration and networking component"
		author = "jai-minton"
		reference = "https://www.crowdstrike.com/blog/author/jai-minton/"
		copyright = "(c) 2020 CrowdStrike Inc."
		date = "2020-11-01"
		hash1 = "c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc"
	strings:
		$x1 = "E:\\work\\Icon_Report\\Release\\_service.pdb" ascii fullword
		$x2 = "RESOLVE %s:%d is - old addresses discarded!" ascii fullword
		$x3 = "https://du.testjj.com/api/v1/id" ascii fullword
		$s1 = "SEC_E_ILLEGAL_MESSAGE (0xX)"
		$s2 = "Failed reading the chunked-encoded stream" ascii fullword
		$s3 = "Negotiate: noauthpersist -> %d, header part: %s" ascii fullword
		$s4 = "AppPolicyGetProcessTerminationMethod" ascii fullword
		$s5 = "schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names" ascii fullword
		$s6 = "failed to load WS2_32.DLL (%u)" ascii fullword
		$s7 = "/c ping -n 3 127.1 >nul & del /q %s" ascii fullword
		$s8 = "No more connections allowed to host %s: %zu" ascii fullword
		$s9 = "%d ReadPhysicalDriveInNTUsingSmart ERROR DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d" ascii fullword
		$s10 = "%d ReadPhysicalDriveInNTWithAdminRights ERROR DeviceIoControl() %d, DFP_GET_VERSION) returned 0, error is %d" ascii fullword
		$s11 = "Content-Disposition: %s%s%s%s%s%s%s" ascii fullword
		$s12 = "Content-Type: %s%s%s" ascii fullword
		$s13 = "SOCKS4%s: connecting to HTTP proxy %s port %d" ascii fullword
		$s14 = "No valid port number in connect to host string (%s)" ascii fullword
		$s15 = "Excess found in a read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 3000KB and 2 of ($x*) and 8 of ($s*)
}