rule G_APT_DOWNLOADER_BADAUDIO_3 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "SystemFunction036" $s2 = "6666666666666666\\\\\\\\\\\\\\\\\\" $dc1 = {C1 C2 1A ?? ?? C1 C3 15 31 D3 ?? ?? C1 C2 07} $dc2 = {C1 C1 1E ?? ?? C1 C6 13 ?? ?? C1 C0 0A 31} $dc3 = {C1 C5 19 C1 C7 0E 01 ?? ?? ?? 31 EF C1 EB 03 31} $dc4 = {C1 C7 0F 8B ?? ?? ?? ?? ?? C1 C3 0D 31 FB C1 EA 0A 31} $f2 = /\x0F\x4C\xC1\x3D[\x01-\xFF].{3}([\x70-\x7f].|\x0f[\x80-\x8f].{4})\x3D[\x01-\xFF].{3}([\x70-\x7f].|\x0f[\x80-\x8f].{4})\x3D[\x01-\xFF].{3}([\x70-\x7f].|\x0f[\x80-\x8f].{4})\x3D[\x01-\xFF].{3}([\x70-\x7f].|\x0f[\x80-\x8f].{4})\x3D[\x01-\xFF].{3}([\x70-\x7f].|\x0f[\x80-\x8f].{4})/ condition: all of ($s*) and 3 of ($dc*) and uint16(0) == 0x5A4D and (#f1 > 5 or #f2 > 2) and filesize<10MB }rule G_APT_DOWNLOADER_BADAUDIO_4 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $p00_0 = {8d4d??e8[4]8b7d??83c6??eb??c745[5]e8[4]8b4d??64890d} $p00_1 = {568b7c24??8b7424??8b5424??89f1e8[4]f20f1007f20f104f??f20f118e} condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and ( ($p00_0 in (0..1100000) and $p00_1 in (0..990000)) ) }