1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule NetWiredRC_B : rat
{
meta:
description = "NetWiredRC"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2014-12-23"
filetype = "memory"
version = "1.1"
strings:
$mutex = "LmddnIkX"
$str1 = "%s.Identifier"
$str2 = "%d:%I64u:%s%s;"
$str3 = "%s%.2d-%.2d-%.4d"
$str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
$str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"
$klg1 = "[Backspace]"
$klg2 = "[Enter]"
$klg3 = "[Tab]"
$klg4 = "[Arrow Left]"
$klg5 = "[Arrow Up]"
$klg6 = "[Arrow Right]"
$klg7 = "[Arrow Down]"
$klg8 = "[Home]"
$klg9 = "[Page Up]"
$klg10 = "[Page Down]"
$klg11 = "[End]"
$klg12 = "[Break]"
$klg13 = "[Delete]"
$klg14 = "[Insert]"
$klg15 = "[Print Screen]"
$klg16 = "[Scroll Lock]"
$klg17 = "[Caps Lock]"
$klg18 = "[Alt]"
$klg19 = "[Esc]"
$klg20 = "[Ctrl+%c]"
condition:
$mutex or (1 of ($str*) and 1 of ($klg*))
}