rule SpicyHotPot_DvLayout {
	meta:
		description = "SpicyHotPot - DvLayout.exe: Used to identify rootkit installation component"
		author = "jai-minton"
		reference = "https://www.crowdstrike.com/blog/author/jai-minton/"
		copyright = "(c) 2020 CrowdStrike Inc."
		date = "2020-11-01"
		hash1 = "551c4564d5ff537572fd356fe96df7c45bf62de9351fae5bb4e6f81dcbe34ae5"
	strings:
		$x1 = "KMDF_LOOK.sys" ascii fullword
		$x2 = "KMDF_Protect.sys" ascii fullword
		$x3 = "StartService Error, errorode is : %d ." ascii fullword
		$x4 = "Software\\Microsoft\\%s\\st" wide fullword
		$s1 = "AppPolicyGetProcessTerminationMethod" ascii fullword
		$s2 = "@api-ms-win-core-synch-l1-2-0.dll" wide fullword
		$s3 = "Genealogy.ini" wide fullword
		$s4 = "powercfg /h off" ascii fullword
		$s5 = " Type Descriptor'" ascii fullword
		$s6 = "find %s failed , errorcode : %d" ascii fullword
		$s7 = "find %s failed , errorcode : %d" ascii fullword
		$s8 = "Delete %s failed , errorcode : %d" wide fullword
		$s9 = "Delete %s failed , errorcode : %d" wide fullword
		$s10 = "OpenService failed , errorcode : %d" wide fullword
		$s11 = "&Beijing JoinHope Image Technology Ltd.1/0-" ascii fullword
		$s12 = "/c del /q %s" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 800KB and 1 of ($x*) and 5 of ($s*)
}