Create MALW_Jolob_Backdoor.yar

7b7954b2 · mmorenog · GitHub · 50ebac03 · 7b7954b2
Commit 7b7954b2 authored Sep 30, 2016 by mmorenog Committed by GitHub Sep 30, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 0 deletions

MALW_Jolob_Backdoor.yar malware/MALW_Jolob_Backdoor.yar +31 -0

No files found.
--- a/malware/MALW_Jolob_Backdoor.yar
+++ b/malware/MALW_Jolob_Backdoor.yar
+rule Backdoor_Jolob
+{
+	meta:
+		maltype = "Backdoor.Jolob"
+    ref = "https://github.com/reed1713"
+		reference = "http://www.symantec.com/connect/blogs/new-flash-zero-day-linked-yet-more-watering-hole-attacks"
+		description = "the backdoor registers an auto start service with the display name \"Network Access Management Agent\" pointing to the dll netfilter.dll. This is accomplished without notifying the user via the sysprep UAC bypass method."
+	strings:   
+		$type = "Microsoft-Windows-Security-Auditing"
+		$eventid = "4673"
+		$data1 = "Security"
+		$data2 = "SeCreateGlobalPrivilege"
+		$data3 = "Windows\\System32\\sysprep\\sysprep.exe" nocase
+        
+		$type1 = "Microsoft-Windows-Security-Auditing"
+		$eventid1 = "4688"
+		$data4 = "Windows\\System32\\sysprep\\sysprep.exe" nocase
+        
+		$type2 = "Service Control Manager"
+		$eventid2 = "7036"
+		$data5 = "Network Access Management Agent"
+		$data6 = "running"
+        
+		$type3 = "Service Control Manager"
+		$eventid3 = "7045"
+		$data7 = "Network Access Management Agent"
+		$data8 = "user mode service"
+		$data9 = "auto start"      
+    condition:
+    	all of them
+}