Create ponmocup_plugin_memory.yar

Ponmocup rule from FOX-IT

Create ponmocup_plugin_memory.yar
Ponmocup rule from FOX-IT
4af188f2 · Marc Rivero López · 73bf2265 · 4af188f2
Commit 4af188f2 authored Dec 02, 2015 by Marc Rivero López
Show whitespace changes
Inline Side-by-side

Showing with 54 additions and 0 deletions

ponmocup_plugin_memory.yar malware/ponmocup_plugin_memory.yar +54 -0

No files found.
--- a/malware/ponmocup_plugin_memory.yar
+++ b/malware/ponmocup_plugin_memory.yar
+rule Ponmocup : plugins 
+{
+ 			meta: 
+ 					description = "Ponmocup plugin detection (memory)"
+ 					author = "Danny Heppener, Fox-IT"
+ 					reference: "https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf"
+ 			strings:
+					 $1100 = {4D 5A 90 [29] 4C 04}
+					 $1201 = {4D 5A 90 [29] B1 04}
+					 $1300 = {4D 5A 90 [29] 14 05}
+					 $1350 = {4D 5A 90 [29] 46 05}
+					 $1400 = {4D 5A 90 [29] 78 05}
+					 $1402 = {4D 5A 90 [29] 7A 05}
+					 $1403 = {4D 5A 90 [29] 7B 05}
+					 $1404 = {4D 5A 90 [29] 7C 05}
+					 $1405 = {4D 5A 90 [29] 7D 05}
+					 $1406 = {4D 5A 90 [29] 7E 05}
+					 $1500 = {4D 5A 90 [29] DC 05}
+					 $1501 = {4D 5A 90 [29] DD 05}
+					 $1502 = {4D 5A 90 [29] DE 05}
+					 $1505 = {4D 5A 90 [29] E1 05}
+					 $1506 = {4D 5A 90 [29] E2 05}
+					 $1507 = {4D 5A 90 [29] E3 05}
+					 $1508 = {4D 5A 90 [29] E4 05}
+					 $1509 = {4D 5A 90 [29] E5 05}
+					 $1510 = {4D 5A 90 [29] E6 05}
+					 $1511 = {4D 5A 90 [29] E7 05}
+					 $1512 = {4D 5A 90 [29] E8 05}
+					 $1600 = {4D 5A 90 [29] 40 06}
+					 $1601 = {4D 5A 90 [29] 41 06}
+					 $1700 = {4D 5A 90 [29] A4 06}
+					 $1800 = {4D 5A 90 [29] 08 07}
+					 $1801 = {4D 5A 90 [29] 09 07}
+					 $1802 = {4D 5A 90 [29] 0A 07}
+					 $1803 = {4D 5A 90 [29] 0B 07}
+					 $2001 = {4D 5A 90 [29] D1 07}
+					 $2002 = {4D 5A 90 [29] D2 07}
+					 $2003 = {4D 5A 90 [29] D3 07}
+					 $2004 = {4D 5A 90 [29] D4 07}
+					 $2500 = {4D 5A 90 [29] C4 09}
+					 $2501 = {4D 5A 90 [29] C5 09}
+					 $2550 = {4D 5A 90 [29] F6 09}
+					 $2600 = {4D 5A 90 [29] 28 0A}
+					 $2610 = {4D 5A 90 [29] 32 0A}
+					 $2700 = {4D 5A 90 [29] 8C 0A}
+					 $2701 = {4D 5A 90 [29] 8D 0A}
+					 $2750 = {4D 5A 90 [29] BE 0A}
+					 $2760 = {4D 5A 90 [29] C8 0A}
+					 $2810 = {4D 5A 90 [29] FA 0A}
+ 			condition:
+ 					 any of ($1100,$1201,$1300,$1350,$1400,$1402,$1403,$1404,$1405,$1406,
+$1500,$1501,$1502,$1505,$1506,$1507,$1508,$1509,$1510,$1511,$1512,$1600,$1601,$1700,$1800,$1801,
+$1802,$1803,$2001,$2002,$2003,$2004,$2500,$2501,$2550,$2600,$2610,$2700,$2701,$2750,$2760,$2810)
+}