rule Cobra_Trojan_Stage1 {
	meta:
		description = "Cobra Trojan  Stage 1"
		author = "Florian Roth"
		reference = "https://blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html"
		date = "2015/02/18"
		hash = "a28164de29e51f154be12d163ce5818fceb69233"
	strings:
		$x1 = "KmSvc.DLL" wide fullword
		$x2 = "SVCHostServiceDll_W2K3.dll" ascii fullword
		$s1 = "Microsoft Corporation. All rights reserved." wide fullword
		$s2 = "srservice" wide fullword
		$s3 = "Key Management Service" wide fullword
		$s4 = "msimghlp.dll" wide fullword
		$s5 = "_ServiceCtrlHandler@16" ascii fullword
		$s6 = "ModuleStart" ascii fullword
		$s7 = "ModuleStop" ascii fullword
		$s8 = "5.2.3790.3959 (srv03.sp2.070216-1710)" wide fullword
	condition:
		uint16(0) == 0x5A4D and filesize < 50000 and 1 of ($x*) and 6 of ($s*)
}