Aggah攻击活动是如何做到在不租用服务器的情况下，运行超过一年的僵尸网络？

   category = "informational"
 strings:
     $a1 = { 1A 88 63 8D A9 78 43 FF }
  $a2 = { 0D 1B 43 00 1B 44 00 FB 30 1C 33 }
  $s1 = "Shell"
    condition:
     all of them
}
rule YAKKA3_Campaign_Jan_20_Injector_Module {
 meta:
   description = "Yara Rule for Yakka3 campaign Injector module"
   author = "Cybaze Zlab_Yoroi"
   last_updated = "2020-01-23"
   tlp = "white"
   category = "informational"
 strings:
  $s1 = "vroombrooomkrooom"
  $s2 = "kekedoyouloveme"
  $s3 = "WriteProcessMemory"
  $a1 = { 00 ED 08 8C 05 31 00 ED 08 43 }
    condition:
     uint16(0) == 0x5A4D and all of them
}
rule YAKKA3_Campaign_Jan_20_CMSTP_Bypass {
 meta:
   description = "Yara Rule for Yakka3 campaign CMSTP Bypass"
   author = "Cybaze Zlab_Yoroi"
   last_updated = "2020-01-23"
   tlp = "white"
   category = "informational"
 strings:
  $s1 = "cmstp.exe" ascii wide
  $s2 = "CurrentVersion" ascii wide
  $s3 = "INF" ascii wide
  $a1 = { 0A 06 8E 69 2D 06 7E 18 }
    condition:
     uint16(0) == 0x5A4D and all of them
}
rule YAKKA3_Campaign_Jan_20_LokiBOT_Payload {
 meta:
   description = "Yara Rule for Yakka3 campaign Loki bot Payload"
   author = "Cybaze Zlab_Yoroi"
   last_updated = "2020-01-23"
   tlp = "white"
   category = "informational"
 strings:
  $s1 = "Fuckav.ru" ascii wide
  $s2 = "SOFTWARE" wide
    condition:
     uint16(0) == 0x5A4D and $s1 and #s2 > 10
}
 

上一页  [1] [2] [3] 

 3/4   首页 上一页 1 2 3 4 下一页 尾页