-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathloader_cruloader.yar
46 lines (40 loc) · 1.77 KB
/
loader_cruloader.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
rule Loader_Cruloader_Strings : malware cruloader {
meta:
author = "albertzsigovits"
sha256 = "a0ac02a1e6c908b90173e86c3e321f2bab082ed45236503a21eb7d984de10611"
reference = "https://courses.zero2auto.com"
strings:
$ = "kkd5YdPM24VBXmi" // RC4 key
$ = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890./=" // ROT13 charset
$ = "aaaaaaaaaaaaaaaap"
$ = "cruloader" ascii wide
condition:
2 of them
}
rule Loader_Cruloader_Crypto : malware cruloader {
meta:
author = "albertzsigovits"
sha256 = "279d481e36cb7d6195d83b7bc0222bc9c8f4ca5afa68facfe6177453bbd2a28f"
reference = "https://courses.zero2auto.com"
strings:
$ = {
8A 54 0D ?? // mov dl, [ebp+ecx-30h]
C0 C2 ?? // rol dl, 4
80 F2 ?? // xor dl, 0A2h
88 54 0D ?? // mov [ebp+ecx-30h], dl
41 // inc ecx
3B C8 // cmp ecx, eax
7C ED // jl short loc_401D00
}
$ = {
0F B7 0C ?? // movzx ecx, word ptr [ecx+edx*2]
66 8B C1 // mov ax, cx
81 E1 [2] 00 00 // and ecx, 0FFFh
66 C1 E8 ?? // shr ax, 0Ch
0F B7 C0 // movzx eax, ax
83 F8 ?? // cmp eax, 3
74 09 // jz short loc_4019E2
}
condition:
all of them
}