Today's Core Dump is brought to you by ThreatPerspective

rule G_APT_DOWNLOADER_BADAUDIO_3 {   meta:      author = "Google Threat Intelligence Group (GTIG)"   strings:     $s1 = "SystemFunction036"          $s2 = "6666666666666666\\\\\\\\\\\\\\\\\\"     $dc1 = {C1 C2 1A ?? ?? C1 C3 15 31 D3 ?? ?? C1 C2 07}     $dc2 = {C1 C1 1E ?? ?? C1 C6 13 ?? ?? C1 C0 0A 31}     $dc3 = {C1 C5 19 C1 C7 0E 01 ?? ?? ?? 31 EF C1 EB 03 31}          $dc4 = {C1 C7 0F 8B ?? ?? ?? ?? ?? C1 C3 0D 31 FB C1 EA 0A 31}          $f2 = /\x0F\x4C\xC1\x3D[\x01-\xFF].{3}([\x70-\x7f].|\x0f[\x80-\x8f].{4})\x3D[\x01-\xFF].{3}([\x70-\x7f].|\x0f[\x80-\x8f].{4})\x3D[\x01-\xFF].{3}([\x70-\x7f].|\x0f[\x80-\x8f].{4})\x3D[\x01-\xFF].{3}([\x70-\x7f].|\x0f[\x80-\x8f].{4})\x3D[\x01-\xFF].{3}([\x70-\x7f].|\x0f[\x80-\x8f].{4})/   condition:     all of ($s*) and 3 of ($dc*) and uint16(0) == 0x5A4D and (#f1 > 5 or #f2 > 2) and filesize<10MB }

rule G_APT_DOWNLOADER_BADAUDIO_4 {     meta:         author = "Google Threat Intelligence Group (GTIG)"     strings:         $p00_0 = {8d4d??e8[4]8b7d??83c6??eb??c745[5]e8[4]8b4d??64890d}         $p00_1 = {568b7c24??8b7424??8b5424??89f1e8[4]f20f1007f20f104f??f20f118e}     condition:         uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and         (             ($p00_0 in (0..1100000) and $p00_1 in (0..990000))         ) }