rule G_APT_BACKDOOR_YESROBOT_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s0 = "return f'Mozilla/5.0 {base64.b64encode(str(get_machine_name()).encode()).decode()} {base64.b64encode(str(get_username()).encode()).decode()} {uuid} {get_windows_version()} {get_machine_locale()}'" $s1 = "'User-Agent': obtainUA()," $s2 = "url = f\"https://{target}/connect\"" $s3 = "print(f'{target} is not availible')" $s4 = "tgtIp = check_targets(tgtList)" $s5 = "cmd_url = f'https://{tgtIp}/command'" $s6 = "print('There is no availible servers...')" condition: 4 of them }rule G_APT_BACKDOOR_MAYBEROBOT_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $replace = "-replace '\\n', ';' -replace '[^\\x20-\\x7E]', '' -replace '(?i)x[0-9A-Fa-f]{4}', '' -split \"\\n\"" condition: all of them }