Show in Graph
Common Information
Type Value
Value 
rule M_Launcher_FONELAUNCH_1 {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for FONELAUNCH.FAX samples."
		md5 = "d6220ca85c44e2012f76193b38881185"
	strings:
		$str_method_a = "OpenSubKey"
		$str_namespace = "System.Reflection"
		$str_method_b = "[Environment]::GetEnvironmentVariable(" wide
		$ilasmx86_sequence_encoding_a = { 0A 06 02 7D [3] 04 00 16 06 }
		$ilasmx86_sequence_encoding_b = { 72 [3] 70 72 [3] 70 6F ?? 00 00 0A }
	condition:
		uint16(0) == 0x5A4D and all of ($str_*) and ($ilasmx86_sequence_encoding_a and #ilasmx86_sequence_encoding_b >= 16)
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2023-01-26 86 Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations | Mandiant