YARA Rule to Detect COMFOO Sophos Symantec

By | June 16, 2015

rule comfoo { meta: author=”Chris Fry, Cisco CSIRT” comment=”v1. Based on ssdeep cluster of 13 ONA files, listed as comfoo by sophos and symantec” /* 0F393DD22DDE735E3EB5034D92F3383F 357D77B0EA73DD5CCEB0216169CA38AC 55E8C796827AAFF3AEAF06FE6FC837EB 63639DD705B56104AA9F82D56918DAF7 6F5481B8F9ECF8BA634C16198118AEC0 736E1280B90F15534A53E59E92A9545F 86C4624C8E3F4A543F5E6A6387C7063E B1084B8C7D3150109D80A4CAB41CA78F C458E9593A4C765B07BA03F3F399FDD2 C5AF9C4BD2052A64B1908FE28F69ED17 D2F13C8D0656711F83385C22CA61B760 E5E82FBAC6E63C7D43474C70155E8697 E7FC045F7DC2A37B947DC613AB9B8B9B */ strings: $str58=”4*4/44494>4|4″ $str140=”6’6-626?6N6W6b6h6r6″ $str101=”5. Disk Information!” $str144=”IE BHO Name:%s” $str150=”9+:7:C:M:T:`:e:o:” $str135=”2@2G2^2v2″ $str206=”1. Windows Version Information!” $str61=”3. System Time!” $str42=”162=2g2t2″ $str25=”101<1D1N1″ $str19=”Total size: %I64d (MB)” $str95=”?+?4?;?M?T?g?” $str66=”Proxy-Authorization: Basic ” $str158=”Internet” $str91=”protocol is:” $str166=”777P7U7[7t7y7″ $str98=”Tokenring” $str59=”Hard Disk(%s–REMOVABLE):” $str124=”[Print Screen]” $str127=”GetDiskFreeSpaceExA” $str187=”1>3G3N3c3″ $str1=”<#<(<X<j<x<” $str119=”4&5,53585=5B5N5″ $str41=”Overlapped I/O operation is in progress.” $str179=”626<6R6m6″ $str92=”File System: %s” $str183=”Loopback” $str85=”error setoption username” $str171=”939:9@9n9″ $str199=”4!5U5[5b5k5q5z5″ $str38=”=D=e=l=z=” $str141=”Used space: %I64d (MB)” $str17=”3&303?3g3n3|3″ $str99=”Max of File Length Support:%d” $str162=”Gateway: %s” $str157=”=0F0M0p0~0″ $str193=”UUWPSUUV” $str86=”9,:7:h:n:” $str156=”[PageDown]” $str60=”Server 4.0, Enterprise Edition ” $str47=”7!7&7+707<7m7s7″ $str80=”ServerLIB.dll” $str174=”=.=K=e=~=” $str111=”IP Address: %s” $str100=”Net Type:” $str26=”:$:/:4:9:>:C:c:i:v:” $str194=”RtlQueryProcessDebugInformation” $str51=”HostName is:” $str31=”systemBoot Time:” $str172=”Type:Disk drive.” $str137=”6,6<6B6O6_6f6″ $str190=”?6?D?T?[?” $str103=”:-:F:M:_:” $str21=”4. Account Information!” $str82=”7#7-7W7k7″ $str62=”>R?[?a?h?” $str24=”CPUIdentifier:%s” $str169=”060?0c0z0″ $str34=”Netbios:” $str4=”HostName is:%s” $str78=”RtlRunDecodeUnicodeString” $str108=”The user’s account is disabled***” $str90=”0%1<1N1V1s1″ $str175=”Microsoft Windows Server 2003 ” $str36=”IP Mask:%s” $str63=”7. Protocol Information!” $str72=”>’?.?@?E?K?R?W?a?” $str33=”4#4<4H4Q4n4|4″ $str29=”aa————” $str147=”< <‘<-<4<:<A<G<N<T<[<a<h<n<u<{<” $str129=”Primary Wins Server:%s” $str10=”Volume Name:%s” $str128=”<$<2<v<{<” $str143=”97:>:v:{:” $str46=”11. IE BHO Information!” $str105=”T1Y943jIhk” $str197=”6%696W6^6″ $str146=”Adapter Desc: %s” $str40=”8,888T8`8|8″ $str75=”= =P=d=p=” $str64=”5N6V6c6m6s6z6″ $str152=”VendorIdentifier” $str203=”Server 4.0 ” $str126=”<$=E=K=R=X=g=m=” $str184=”—-Administrator” $str204=”Type:Print queue.” $str7=”File System:%s” $str163=”error setoption password” $str32=”Windows ” $str94=”Physical address:” $str132=”CPUVendorIdentifier:%s” $str149=”4%5.555b5i5″ $str134=”Accept-Language: %s” $str120=”;2;:;?;G;M;T;Z;a;g;o;v;” $str181=”Type:Communication device.” $str50=”8,8C8T8Y8`8e8l8u8~8″ $str113=”4(4,484H4X4h4x4″ $str53=”</=6=q=~=” $str131=”0:0O0U0b0}0″ $str43=”PSSSSSSSSQ” $str151=”version Number:%d.%d.%d.%d” $str2=”>^>s>y>~>” $str155=”Secondary Wins Server:%s” $str125=”GetUserProfileDirectoryA” $str35=”011[1f1{1″ $str30=”FDICreate” $str65=”FDIDestroy” $str39=”=->4>?>D>I>N>S>s>y>” $str114=”Microsoft Windows NT 3.51″ $str170=”9T9Z9g9v9″ $str79=”ServiceDll” $str185=”—-User” $str96=”6 7(7/7t7y7″ $str180=”D$`SUVWPj” $str118=”8%909V9[9″ $str74=”SystemCurrent Time:” $str167=”QueryDosDeviceA” $str71=”1(1/1l1s1″ $str148=”CPUSpeed:%d.%dGHz” $str202=”;$;0;L;X;t;” $str48=”7#777m7s7″ $str6=”>$>)>.>3>8>g>y>” $str107=”8*8:8i8p8″ $str138=”Max of File Length Support: %d” $str54=”—-Guest” $str192=”6 6;6a6n6″ $str145=”>0>D>S>Z>” $str115=”Volume Name: %s” $str13=”tpHt!Hu}” $str153=”<;<S<X<j<o<t<z<” $str176=”Total of %d entries enumerated.” $str154=”Volume Name:%s ” $str81=”5)5W5f5w5″ $str121=”2’2A2W2b2g2m2″ $str57=”Free space: %I64d(MB)” $str161=”2 3’3:3A3f3k3″ $str106=”?,?9???`?” $str11=”8%8,8;8j8o8y8″ $str116=”6%6A6Q6Z6i6s6{6″ $str49=”WSACleanup” $str159=”Content-Type: application/octet-stream” $str122=”5e5*6/64696>6C6H6M6R6W6″ $str142=”Used space: %I64d(MB)” $str93=”Hard Disk(%s–LocalDisk):” $str23=”ProcessorNameString” $str87=”6 6$6(6@6T6d6h6t6″ $str196=”2. CPU Type!” $str20=”Netbios Error:” $str16=”3#3O3a3o3″ $str198=”9. InstallApp Information!” $str8=”131B1J1h1w1″ $str68=”9(9D9P9l9x9″ $str83=”image/gif” $str173=”FDIIsCabinet” $str139=”[PageUp]” $str133=”0/161f1k1″ $str84=”=A=^=s=}=” $str76=”<#<.<@<`<” $str27=”OpenDesktopA” $str188=”HttpAddRequestHeadersA” $str189=”<(<D<P<l<x<” $str18=”7 7’7/787B7S7″ $str110=”[Insert]” $str182=”: :$:(:,:” $str205=”Disk(%s-REMOVABLE): ” $str186=”8-939:9?9F9K9T9″ $str191=”Network information:” $str77=”8. NETBIOS Information!” $str102=”6. NET Information!” $str22=”98:`:g:u:z:” $str15=”Free space: %I64d (MB)” $str97=”10. IE Version Information!” $str55=”No %d CPU Information:” $str177=”???G?d?p?x?” $str12=”>#>D>L>R>Y>^>c>h>q>” $str165=”[Num Lock]” $str160=”cabinet.dll” $str89=”[Scroll Lock]” $str3=”7 7$7(7V7[7″ $str136=”>h>l>p>t>” $str130=”WINLOGON” $str44=”=#=-=]=q=” $str67=”User Agent” $str14=”182B2L2r2{2″ $str207=”1$1.181A1G1M1]1f1″ $str112=”Microsoft Windows NT 4.0″ $str56=”>,>8>T>`>|>” $str104=”5!535<5N5_5|5″ $str201=”6N6Z6d6{6″ $str88=”%s (Build %d)” $str69=”DNS Servers:%s” $str70=”:4:::G:W:m:” $str195=”image/jpeg” $str37=”7’7-7C7M7T7h7″ $str164=”HTTP/1.1″ $str123=”CPUNameString:%s” $str178=”‘0-04090@0E0Q0″ $str117=”<$<-<2<:<@<G<M<T<Z<a<g<o<u<” $str168=”Ethernet” $str73=”<>=S=f=x=” $str52=”image/x-xbitmap” $str5=”;I<Q<W<b<o<w<” $str200=”5A5G5[5`5o5″ $str0=”4-4N4V4j4y4″ $str28=”7,787@7T7x7″ $str45=”Type:Interprocess communication (IPC).” $str109=”3 393N3U3v3″ $str9=”RtlCreateQueryDebugBuffer” condition: 40 of them } rule comfoo_A_DPD { meta: author=”Chris Fry, Cisco CSIRT” comment=”Based on ssdeep cluster of 6 files from ONA, ID’d as DPD and comfoo.A” /* 0A9FC2A353E7B20A76729808D090D52A 15F26460DAA9C165D738C833608781E3 38C92523DF61DBA21A11DBC9CEFA464A 652DCC5A48C5459977805D407AAB52F8 90C11290C6207BFD8B5DEB32044D14E3 95743A8BF673FF5D225DFBEFD5221543 */ strings: $str36=”:!:3:D:V:}:” $str49=”—-Guest” $str55=”;&;O;t;~;” $str149=”3 4,434O4]4~4″ $str177=”44494E4K4Q4[4}4″ $str33=”%060W0]0n0w0″ $str50=”No %d CPU Information:” $str165=”Ethernet” $str61=”3. System Time!” $str192=”perfdi.ini” $str79=”6(626F6b6l6″ $str5=”;(;D;P;l;x;” $str193=”Network information:” $str70=”SystemCurrent Time:” $str44=”11. IE BHO Information!” $str125=”WINLOGON” $str97=”Max of File Length Support:%d” $str141=”727:7B7H7N7[7e7o7v7~7″ $str111=”Volume Name: %s” $str66=”DNS Servers:%s” $str107=”4:5Q5Y5{5″ $str166=”=#=*=V=[=” $str121=”1-1O1c1y1″ $str100=”5. Disk Information!” $str0=”HostName is:%s” $str16=”Netbios Error:” $str75=”ServiceDll” $str113=”6.7D7S7g7″ $str20=”OpenDesktopA” $str53=”Free space: %I64d(MB)” $str30=”5Z6_6d6i6n6s6x6}6″ $str139=”version Number:%d.%d.%d.%d” $str203=”4T4[4j4v4|4″ $str106=”[Insert]” $str9=”tpHt!Hu}” $str160=”;0;X<_<z<” $str159=”>$>0>L>X>t>” $str58=”Server 4.0, Enterprise Edition ” $str181=”D$`SUVWPj” $str133=”Used space: %I64d(MB)” $str43=”Type:Interprocess communication (IPC).” $str172=”7$70787L7p7″ $str168=”Type:Disk drive.” $str101=”6. NET Information!” $str171=”Total of %d entries enumerated.” $str124=”Primary Wins Server:%s” $str32=”Netbios:” $str65=”User Agent” $str208=”Disk(%s-REMOVABLE): ” $str99=”Net Type:” $str189=”>=?K?X?e?y?” $str161=”QueryDosDeviceA” $str118=”[Print Screen]” $str136=”7!717Q7a7q7″ $str169=”FDIIsCabinet” $str71=”9-:4:?:D:I:N:S:s:y:” $str128=”Accept-Language: %s” $str126=”?&?R?Z?h?y?~?” $str3=”RtlCreateQueryDebugBuffer” $str12=”Free space: %I64d (MB)” $str14=”Total size: %I64d (MB)” $str184=”Loopback” $str188=”0#0[0a0j0q0″ $str38=”Overlapped I/O operation is in progress.” $str179=”0)1A1K1T1^1h1q1w1}1″ $str6=”546:6G6Y6s6″ $str180=”3#3,353?3L3T3o3{3″ $str73=”RtlRunDecodeUnicodeString” $str130=”[PageUp]” $str103=”The user’s account is disabled***” $str135=”Adapter Desc: %s” $str134=”IE BHO Name:%s” $str163=”4 4$404@4P4`4p4″ $str146=”0’0.0<0A0F0K0P0″ $str25=”9’9H9Q9q9{9″ $str28=”>’><>B>I>N>U>Z>f>” $str19=”CPUIdentifier:%s” $str8=”6#777I7S7]7″ $str60=”=$=/=<=F=[=g=m=” $str52=”:F:V:h:v:” $str62=”7. Protocol Information!” $str131=”Used space: %I64d (MB)” $str56=”7=7G7N7~7″ $str204=”Server 4.0 ” $str123=”>#>Y>`>o>” $str45=”WSACleanup” $str85=”7&888>8M8a8″ $str138=”2A3J3Q3t3″ $str122=”image/pjpeg” $str176=”:);4;X;];y;” $str80=”error setoption username” $str4=”Volume Name:%s” $str92=”Physical address:” $str209=”1. Windows Version Information!” $str187=”—-User” $str144=”<&<,<3<9<@<F<M<S<Z<`<g<m<t<z<” $str2=”=&=B=Z=d=” $str127=”CPUVendorIdentifier:%s” $str31=”7(7/7Y7d7″ $str196=”image/jpeg” $str186=”6N6M7T7^7q7″ $str64=”Proxy-Authorization: Basic ” $str185=”—-Administrator” $str42=”7%707L7Y7″ $str96=”Tokenring” $str158=”[Num Lock]” $str150=”[PageDown]” $str48=”image/x-xbitmap” $str152=”Content-Type: application/octet-stream” $str78=”image/gif” $str142=”VendorIdentifier” $str93=”=(=/=R=`=p=w=” $str170=”Microsoft Windows Server 2003 ” $str108=”IP Address: %s” $str37=”>/?=?J?Q?” $str194=”UUWPSUUV” $str84=”2:2H2X2_2″ $str11=”;'<7<B<S<^<p<” $str116=”9*:1:P:[:p:” $str140=”3+373T3[3s3″ $str51=”?!?7?@?L?p?” $str35=”;2;:;H;[;`;f;” $str87=”9 9<9H9d9p9″ $str137=”CPUSpeed:%d.%dGHz” $str199=”=!=&=+=0=9=I=_=s=” $str119=”GetUserProfileDirectoryA” $str98=”>$>)>.>l>~>” $str83=”[Scroll Lock]” $str94=”10. IE Version Information!” $str69=”;-;2;7;<;A;” $str174=”41585O5k5″ $str120=”GetDiskFreeSpaceExA” $str147=”Volume Name:%s ” $str22=”FDICreate” $str154=”Gateway: %s” $str198=”2. CPU Type!” $str201=”6F7Z7l7s7″ $str67=”495Q5c5l5~5″ $str148=”Secondary Wins Server:%s” $str59=”:,:8:T:`:|:” $str175=”;$;0;];x;” $str17=”4. Account Information!” $str197=”>->A>W>a>k>x>” $str27=”Windows ” $str151=”Internet” $str63=”FDIDestroy” $str145=”=’=1=;=E=O=Y=c=m=” $str205=”6%6,61666;6G6l6″ $str7=”6%6,6:6?6D6I6N6″ $str82=”%s (Build %d)” $str95=”;(<.<=<i<n<}<” $str105=”3 393N3U3v3″ $str114=”6B6W6]6b6o6~6″ $str207=”;4;b;j;o;w;};” $str195=”RtlQueryProcessDebugInformation” $str76=”ServerLIB.dll” $str191=”HttpAddRequestHeadersA” $str54=”3*454G4N4Z4a4″ $str173=”708=8M8T8j8x8″ $str47=”HostName is:” $str91=”0*0I0N0u0″ $str129=”Max of File Length Support: %d” $str153=”cabinet.dll” $str88=”File System: %s” $str115=”2’2A2W2b2g2m2″ $str41=”PSSSSSSSSQ” $str81=”<&<4<9<><C<H<w<” $str155=”error setoption password” $str200=”9. InstallApp Information!” $str117=”CPUNameString:%s” $str90=”6*6>6Y6_6y6″ $str46=”354I4X4_4″ $str109=”Microsoft Windows NT 4.0″ $str89=”Hard Disk(%s–LocalDisk):” $str26=”< <<<H<d<p<” $str13=”<7=_=f=t=y=~=” $str72=”8. NETBIOS Information!” $str112=”2+31383=3B3G3S3″ $str178=”8 8-8V8j8″ $str102=”T1Y943jIhk” $str164=”[Windows Title: %s]” $str77=”3:3S3f3p3″ $str157=”7c7i7q7v7{7″ $str162=”212H2N2[2b2i2″ $str202=”1 2F3M3k3″ $str190=”:+:1:;:A:W:d:” $str86=”protocol is:” $str68=”0?0F0Q0V0[0`0e0″ $str10=”8!9/9K9c9″ $str206=”Type:Print queue.” $str156=”HTTP/1.1″ $str39=”4’424@4N4″ $str15=”343[3b3h3t3″ $str132=”1’1,11161;1[1a1″ $str23=”0%151`1l1t1~1″ $str24=”systemBoot Time:” $str104=”9(929<9F9Q9Z9m9″ $str167=”>%?1?N?h?w?” $str34=”IP Mask:%s” $str57=”Hard Disk(%s–REMOVABLE):” $str182=”Type:Communication device.” $str110=”Microsoft Windows NT 3.51″ $str183=”465;5q5w5″ $str74=”!0-0C0O0k0″ $str1=”File System:%s” $str143=”626G6T6q6″ $str29=”8$808L8X8t8″ $str21=”aa————” $str18=”ProcessorNameString” $str40=”?)?.?<?S?a?s?” condition: $str183 and 30 of them } rule comfoo_B { meta: author=”Chris Fry, Cisco CSIRT” comment=”based on ssdeep cluster of 58 ONA files, ID’d by AV as comfoo.B” strings: $str16=”Total size: %I64d (MB)” $str153=”[PageDown]” $str118=”7B8H8T8]8b8j8p8w8}8″ $str165=”=N?W?^?s?” $str37=”PSSSSSSSSQ” $str146=”5+5C5J5P5~5″ $str23=”;b;k;q;x;” $str78=”4(4,484H4X4h4x4″ $str14=”Free space: %I64d (MB)” $str157=”error setoption password” $str71=”ServerLIB.dll” $str186=”7:8@8G8L8Q8V8b8m8″ $str80=”File System: %s” $str29=”Netbios:” $str150=”0.0<0L0S0″ $str130=”Accept-Language: %s” $str124=”WINLOGON” $str98=”[Insert]” $str112=”5’5,51565;5v5″ $str106=”2 2/2W2^2l2q2v2{2″ $str93=”T1Y943jIhk” $str61=”9’9X9^9s9″ $str170=”FDIIsCabinet” $str6=”8’9.9M9X9″ $str199=”;$;0;L;X;t;” $str12=”tpHt!Hu}” $str188=”HttpAddRequestHeadersA” $str183=”Loopback” $str173=”313D3J3Q3V3[3`3l3″ $str62=”SystemCurrent Time:” $str76=”%s (Build %d)” $str167=”Type:Disk drive.” $str201=”Type:Print queue.” $str125=” 0,040>0s0{0″ $str172=”Total of %d entries enumerated.” $str69=”5+646;6^6l6|6″ $str121=”image/pjpeg” $str102=”Microsoft Windows NT 3.51″ $str198=”9. InstallApp Information!” $str68=”8. NETBIOS Information!” $str81=”Hard Disk(%s–LocalDisk):” $str43=”image/x-xbitmap” $str179=”D$`SUVWPj” $str192=”RtlQueryProcessDebugInformation” $str104=”=’>.>i>v>” $str35=”4#4(4-424>4″ $str73=”image/gif” $str54=”>C>I>O>p>w>” $str84=”4=5C5J5O5V5[5d5″ $str196=”011e1k1r1{1″ $str28=”(0.050:0A0F0O0″ $str94=”The user’s account is disabled***” $str79=”protocol is:” $str160=”QueryDosDeviceA” $str144=”2!3e3k3r3w3|3″ $str200=”Server 4.0 ” $str52=”3. System Time!” $str20=”CPUIdentifier:%s” $str175=”6+6=6V6]6o6″ $str17=”Netbios Error:” $str99=”IP Address: %s” $str63=”;7;>;P;U;[;b;g;q;” $str140=”3!3-373A3J3P3W3_3h3r3″ $str132=”Max of File Length Support: %d” $str133=”[PageUp]” $str127=”4 4*454<4K4z4″ $str117=”GetDiskFreeSpaceExA” $str13=”3+373=3S3]3d3x3″ $str135=”051>1E1r1y1″ $str149=”3!313A3Y3″ $str107=”=0I0Q0j0r0″ $str22=”OpenDesktopA” $str100=”Microsoft Windows NT 4.0″ $str66=”1T1^1!212n2″ $str38=”<5<;<B<H<W<]<w<” $str0=”6[7o7u7~7″ $str148=”‘030L0X0a0~0″ $str96=”3 393N3U3v3″ $str83=”Physical address:” $str10=”Volume Name:%s” $str91=”6. NET Information!” $str19=”ProcessorNameString” $str119=”=+=:=B=c=r=z=” $str161=”9’9>9[9u9″ $str31=”6 6+646?6d6j6w6″ $str159=”[Num Lock]” $str85=”6 7(7/7t7y7″ $str129=”5.5d5j5w5″ $str7=”File System:%s” $str30=”5$525B5I5″ $str105=”9 :’:9:@:x:” $str147=”VendorIdentifier” $str128=”CPUVendorIdentifier:%s” $str90=”5. Disk Information!” $str59=”DNS Servers:%s” $str75=”8K8c8h8z8″ $str113=”1`5d5h5l5p5t5x5|5″ $str48=”>,>8>T>`>|>” $str3=”=3=;=P=~=” $str163=”Ethernet” $str25=”FDICreate” $str203=”1. Windows Version Information!” $str34=”Overlapped I/O operation is in progress.” $str177=”5#5(5-525U5d5r5″ $str8=”:]:d:o:t:y:~:” $str193=”5-646?6D6I6N6S6s6y6″ $str74=”error setoption username” $str143=”=N=c=i=n={=” $str139=”IE BHO Name:%s” $str5=”HostName is:%s” $str97=”:&:4:9:>:C:H:w:” $str70=”RtlRunDecodeUnicodeString” $str36=”0(01070=0M0V0z0″ $str142=”CPUSpeed:%d.%dGHz” $str2=”2,2?2Y2e2″ $str164=”626:6H6[6`6f6″ $str123=”;#;F;T;d;k;” $str40=”11. IE BHO Information!” $str202=”=%=,=8=?=|=” $str171=”Microsoft Windows Server 2003 ” $str145=”version Number:%d.%d.%d.%d” $str64=”3>3F3Z3i3q3″ $str197=”2. CPU Type!” $str49=”Free space: %I64d(MB)” $str57=”User Agent” $str174=”>0?7?J?Q?v?{?” $str18=”4. Account Information!” $str72=”?$?)?0?5?A?” $str58=”9(9D9P9l9x9″ $str21=”<?=F=v={=” $str82=”? ?/?a?~?” $str152=”Secondary Wins Server:%s” $str155=”Content-Type: application/octet-stream” $str41=”WSACleanup” $str109=”2’2A2W2b2g2m2″ $str156=”Gateway: %s” $str176=”3,4T4u4|4″ $str181=”Type:Communication device.” $str185=”—-User” $str151=”Volume Name:%s ” $str46=”No %d CPU Information:” $str44=”2$252P2k2″ $str137=”Used space: %I64d(MB)” $str111=”5e5*6/64696>6C6H6M6R6W6″ $str4=”5,525?5O5V5″ $str26=”systemBoot Time:” $str92=”6[6g6s6}6″ $str158=”HTTP/1.1″ $str122=”Primary Wins Server:%s” $str39=”Type:Interprocess communication (IPC).” $str131=”:,:@:T:c:j:” $str189=”<(<D<P<l<x<” $str178=”252I2g2n2″ $str154=”Internet” $str182=”: :$:(:,:” $str194=”image/jpeg” $str136=”Used space: %I64d (MB)” $str50=”=/>7>T>`>h>~>” $str95=”6 6$6(6@6T6d6h6t6″ $str168=”8Y8a8g8r8″ $str51=”Server 4.0, Enterprise Edition ” $str162=”[Windows Title: %s]” $str33=”8,888T8`8|8″ $str60=”>*?0?7?<?A?F?O?~?” $str24=”aa————” $str15=”8 8$8(8,8084888<8@8D8H8L8P8T8″ $str116=”GetUserProfileDirectoryA” $str101=”1&141D1K1Y1″ $str42=”HostName is:” $str88=”Max of File Length Support:%d” $str77=”[Scroll Lock]” $str108=”1)2/252Q2a2j2y2″ $str169=”4#4(4K4]4k4″ $str191=”UUWPSUUV” $str53=”7. Protocol Information!” $str110=”;$;*;1;7;>;D;K;Q;X;^;e;k;r;x;” $str190=”Network information:” $str32=”IP Mask:%s” $str141=”Adapter Desc: %s” $str86=”10. IE Version Information!” $str103=”Volume Name: %s” $str89=”Net Type:” $str166=”31474K4P4_4u4{4″ $str47=”1^2f2s2}2″ $str180=”4#4,4>4O4l4″ $str11=”;>;[;d;k;};” $str138=”7,787@7T7x7″ $str195=”3$3)3.3l3~3″ $str134=”030:0I0R0″ $str184=”—-Administrator” $str87=”Tokenring” $str45=”—-Guest” $str56=”Proxy-Authorization: Basic ” $str67=”3G3`3e3k3″ $str120=”:);.;=;L;X;” $str114=”CPUNameString:%s” $str27=”Windows ” $str115=”[Print Screen]” $str65=”= =P=d=p=” $str126=”MYGAMEHAVESTARTED” $str1=”3 3$3(3,3034383f3k3″ $str187=”?-?4?C?K?” $str55=”FDIDestroy” $str9=”RtlCreateQueryDebugBuffer” condition: 50 of them } rule eldorado_comfoo { meta: author=”Chris Fry, Cisco CSIRT” comment=”ssdeep cluster of 5 ONA files, tagged as eldorado possible comfoo” /* 0BDF134F80C317FBBCB305BC59DF2ECE 1F640DCF53CD958B1E17DBDAFB3C6902 B6156F6A7E0F3003263FF23DF9A9E9AE C6C98A9FC58715202CD066DA3484FF3D F576713A85F1FD690A60B5C382EA711D */ strings: $str2=”Universal Transaction Coordinator” $str8=”VirtualFreeEx” $str1=”WriteProcessMemory %d” $str3=”DependOnService” $str9=”utcorgr.dll” $str7=”StrCmpNIA” $str10=”CreateRemoteThread %d” $str6=”VirtualAllocEx” $str0=”HtBHt!Hu(” $str5=”Rsrsvc.exe” $str11=”OpenProcess %d” $str4=”VirtualAllocEx %d” condition: all of them } rule Generated_Rules { meta: author=”Chris Fry, Cisco CSIRT” comment=”ssdeep cluster of 6 ONA files, ID’d as CMDer and maybe Eldorado” /* 17907083EFF6D9E7EFBD821B0632C83A 4264DF838A362B2509A773AACCA3F360 B3C57818E3F0151DF9E4586DF85307EB BAB26D0F7F9830BB8055DC5C88CBFC9D C65D7FD6ECFE4D04ED9B029C61719A97 F4BF2933F6A4AEB4BF0594DDBF936CCD */ strings: $str0=”D$<SUVWh” $str5=”<4,$?7/'” $str6=”send = %d” $str2=”D$$j@hPA@” $str3=”SUVWj@PhPA@” $str4=”*(SY)# cmd” $str1=”SetProcessPriorityBoost” condition: 5 of them } rule eldorado_liksput { meta: author=”Chris Fry, Cisco CSIRT” comment=”ssdeep cluster of 6 ONA files, ID’d as likesput and eldorado. C2 with http img tag” /* 4B6F5E62D7913FC1AB6C71B5B909ECBF 6E754BF015656F067BD9B76802FA2C7B A40872B40DD906F2758101681CC88607 B3F6D5D59BCDBFFBD50594B7E4E4A9D1 C1CC7C3587DA40AE5FD0059E0C50D3AB E54CE5F0112C9FDFE86DB17E85A5E2C5 */ strings: $str47=”URLDownloadToFileA” $str31=”Program started!” $str42=”Service stopped!” $str2=”YYWWVh50@” $str32=”Adobe Reader Speed Launcher” $str50=”Removeable” $str34=”Computer:” $str18=”Service does not exist!” $str14=”Service stop pending!” $str36=”~MS80547.bat” $str13=”Mozilla/5.0″ $str17=”%ComSpec%” $str61=”Cache-Control:no-cache” $str43=”%s Connected!” $str56=”Content-Length: %d” $str16=”YYWWVhp/@” $str55=”GetUrl URL FileName” $str35=”Shell started fail!” $str23=”Service started!” $str5=”HttpAddRequestHeadersA” $str7=”kill </p|/s> <pid|ServiceName>” $str12=”CmdPath=” $str20=”Totally %d volumes found.” $str27=”OpenSCManager failed!” $str30=”ControlService failed!” $str25=”Service is running already!” $str19=”Service still running!” $str60=”Started already,” $str0=”%-24s %s” $str38=”Service doesn’t start!” $str26=”CreateProcessAsUserA” $str37=”t<Ht2Ht(Ht” $str45=”OpenP failed with %d!” $str40=”Proxy-Connection:Keep-Alive” $str21=”YYSSSVSS” $str58=”list service failed!” $str11=”Sleep Time:” $str39=”CreateProcess failed!” $str1=”Create failed with %d!” $str54=”StartService failed!” $str9=”getf/putf FileName <N>” $str29=”OpenService failed!” $str22=”Volume on this computer:” $str46=”Shell started successfully!” $str53=”%*[^/]%*[/]%*[^/]%s” $str52=”Process cmd.exe exited!” $str48=”GetUserProfileDirectoryA” $str6=”%-26s %5d” $str24=”GetFileAttributes Error code: %d” $str33=”start </p|/s> <filename|ServiceName>” $str44=”Cache-Control:max-age=0″ $str41=” and the PID is %d” $str3=”So long!” $str8=”list process failed!” $str15=”Pragma:no-cache” $str10=”Syntax error!” $str4=”FileSize:” $str59=”<h1>Bad Request (Invalid Hostname)</h1>” $str51=”OpenT failed with %d!” $str49=”list </p|/s|/d>” $str63=”Volume Name” $str28=”Accept:*/*” $str62=”Shell started,wait to terminate it…..” $str57=”EnumServicesStatusExA” condition: 40 of them } rule mangzamel_backdoor { meta: author=”Chris Fry, Cisco CSIRT” comment=”ssdeep cluster of 7 ONA files, ID’d as Mangzamel backdoor by several AV” /* 015B3402642F156786E972C0F884B0AE 0C7819D7681D27B42718F01E2E40225A 35FEAEF71ECC4D8503D9D27A5FE093FD 55C4AAF8AD7183B7DA74EAFC72B0C957 62C29E4CE2E4229C2FFAB945A73B5F26 8CBD1383CCB4B7D6276B8184BD7EEF86 B2EFD76AF86C79860165CEAAC36DE2B4 */ strings: $str87=”Mang.xml” $str90=”_filelengthi64″ $str58=”Sub Server” $str57=”VirtualProtectEx” $str24=”Parent Server” $str1=”currently” $str83=”Dest Network” $str6=”Service Pack 6a” $str48=”EndUpdateResourceA” $str4=”Please Correct [-r %s]” $str78=”Connect to IP:%s Port:%d” $str61=”—Joint Unit Count:%d—” $str76=”LessChild” $str65=”_wfindnexti64″ $str89=”Could not add resource.” $str51=”VMProxy1″ $str74=”Timeout & QUIT!!!” $str80=”_wremove” $str56=”Manage Server” $str71=”3tWJt9Jt$” $str19=”Content-Length: 0″ $str12=”Please input [-t] dest_type” $str54=”psapi.dll” $str42=”Please input [-m] ModifyType” $str32=”The service is %s installed” $str85=”Please input [-s] Socket Type” $str16=”Add Joint Unit Failure.” $str39=”SocketID = %d %s:%d” $str36=”%s failed to install. Error %d” $str28=”Service Pack 6″ $str10=”SCSIDISK” $str0=”%s: option `%s’ is ambiguous” $str31=”%.2f GHz” $str69=”<-t29t$<” $str13=”Login: %s” $str81=”_findclose” $str3=”GetDllEntryUnit” $str88=”%s %s %s” $str64=”%s: invalid option — %c” $str45=”%s installed” $str72=”POSIXLY_CORRECT” $str20=”subchild” $str70=”%s: option `-W %s’ is ambiguous” $str52=”%s Starting… ” $str59=”Please Correct Port [-p %s]” $str15=”.?AW4FW_ERROR_CODE@@” $str35=”Unknown command.” $str34=”ProcessorNameString” $str44=”CFG2EXTR” $str23=”BeginUpdateResourceA” $str53=”Remove Joint Unit %d Failure.” $str73=”_wfindfirsti64″ $str79=”ewr:m:s:h:p:t:b:d:n:w:x:g:k:” $str18=”%s Version %d.%d” $str84=”Please Correct UserName Index [-i %s]” $str5=”Please Correct [-t %s]” $str46=”Reload User Path Config File” $str37=”UDP_Touch Port:%d” $str9=”Please Correct RightType [-g %s]” $str41=”services.exe” $str2=”_wfindfirst” $str21=”OpenSCManager fail = %d…” $str66=”%s: illegal option — %c” $str8=”Please Correct IP [-h %s]” $str43=”uR;T$(uE9l$” $str50=”OpenService fail = %d…” $str27=”UpdateResourceA” $str47=”Please input [-h] RemoteIP” $str33=”Server Event Network Support System” $str82=”Read Error” $str77=”%s: option requires an argument — %c” $str40=”Please Correct [-m %s]” $str62=”Could not write changes to file.” $str68=”HTTP/1.1 404 Fail” $str26=”Could not remove %s. Error %d” $str11=”Please input [-r] RunType” $str86=”%s is not installed” $str38=”Please Correct UDP-DNS-Test Port [-d %s]” $str29=”Please input [-p] RemotePort” $str30=”L$T_^][d” $str7=”Remove Joint Unit %d success.” $str22=”%s is already installed” $str60=”%s: option `%s’ requires an argument” $str49=”uY;T$(uL9l$” $str55=”Please Correct [-s %s]” $str75=”T$HRSSSj” $str25=”Add Joint Unit At %d success.” $str67=”old unit not exist” $str17=”Listen Port:%d” $str63=”%s: unrecognized option `%c%s'” condition: 20 of them } rule mangzamel_2_backdoor { meta: author=”Chris Fry, Cisco CSIRT” comment=”based on ssdeep cluster of 7 ONA files, ID’d as mangzamel by multiple AV” /* 1569EBA28B579FBA5C29B23AA5030C92 23F97C51FCF9184E07EF4F739BB2AA3D 3D578CC5D6D318D7465BA3A4677664DF 7C67CA150D4746B54CF7C0225E60EB66 81841BF0CF458420080627DFBEFE4523 E64E867712028F2F4C71FAE53C10FE2C EE4CC79FAD4D8F3FB94AD93FFC1B9E70 */ strings: $str53=”%s Starting… ” $str14=”%d – [%s] %s %s %s” $str39=”SocketID = %d %s:%d” $str9=”Please Correct RightType [-g %s]” $str24=”Parent Server” $str1=”currently” $str62=”—Joint Unit Count:%d—” $str6=”Service Pack 6a” $str55=”psapi.dll” $str48=”EndUpdateResourceA” $str4=”Please Correct [-r %s]” $str88=”Mang.xml” $str63=”Could not write changes to file.” $str51=”VMProxy1″ $str54=”Remove Joint Unit %d Failure.” $str19=”Content-Length: 0″ $str12=”Please input [-t] dest_type” $str42=”Please input [-m] ModifyType” $str32=”The service is %s installed” $str69=”HTTP/1.1 404 Fail” $str66=”_wfindnexti64″ $str77=”LessChild” $str73=”POSIXLY_CORRECT” $str16=”Add Joint Unit Failure.” $str67=”%s: illegal option — %c” $str36=”%s failed to install. Error %d” $str28=”Service Pack 6″ $str10=”SCSIDISK” $str75=”Timeout & QUIT!!!” $str0=”%s: option `%s’ is ambiguous” $str31=”%.2f GHz” $str13=”Login: %s” $str84=”Dest Network” $str3=”GetDllEntryUnit” $str45=”%s installed” $str20=”subchild” $str56=”Please Correct [-s %s]” $str74=”_wfindfirsti64″ $str83=”Read Error” $str15=”.?AW4FW_ERROR_CODE@@” $str35=”Unknown command.” $str34=”ProcessorNameString” $str92=”%s: unrecognized option `–%s'” $str44=”CFG2EXTR” $str87=”%s is not installed” $str91=”_filelengthi64″ $str23=”BeginUpdateResourceA” $str70=”<-t29t$<” $str80=”ewr:m:s:h:p:t:b:d:n:w:x:g:k:” $str52=”Connection: close” $str71=”%s: option `-W %s’ is ambiguous” $str59=”Sub Server” $str64=”%s: unrecognized option `%c%s'” $str18=”%s Version %d.%d” $str81=”_wremove” $str61=”%s: option `%s’ requires an argument” $str5=”Please Correct [-t %s]” $str57=”Manage Server” $str46=”Reload User Path Config File” $str68=”old unit not exist” $str37=”UDP_Touch Port:%d” $str76=”T$HRSSSj” $str41=”services.exe” $str2=”_wfindfirst” $str21=”OpenSCManager fail = %d…” $str8=”Please Correct IP [-h %s]” $str43=”uR;T$(uE9l$” $str90=”Could not add resource.” $str50=”OpenService fail = %d…” $str27=”UpdateResourceA” $str89=”%s %s %s” $str47=”Please input [-h] RemoteIP” $str33=”Server Event Network Support System” $str60=”Please Correct Port [-p %s]” $str40=”Please Correct [-m %s]” $str86=”Please input [-s] Socket Type” $str82=”_findclose” $str11=”Please input [-r] RunType” $str72=”3tWJt9Jt$” $str38=”Please Correct UDP-DNS-Test Port [-d %s]” $str29=”Please input [-p] RemotePort” $str30=”L$T_^][d” $str7=”Remove Joint Unit %d success.” $str22=”%s is already installed” $str26=”Could not remove %s. Error %d” $str85=”Please Correct UserName Index [-i %s]” $str65=”%s: invalid option — %c” $str49=”uY;T$(uL9l$” $str58=”VirtualProtectEx” $str25=”Add Joint Unit At %d success.” $str78=”%s: option requires an argument — %c” $str79=”Connect to IP:%s Port:%d” $str17=”Listen Port:%d” condition: 60 of them } rule pincav_eldorado { meta: author=”Chris Fry, Cisco CSIRT” comment=”ssdeep of 5 ONA files, id’d as w32.pincav, which is called eldorado by others and pivy” /* 813D517B0DE980E065650F0FF414286F 8B6FE13A386A8103BC90016220F68EE8 9835C0ED9D4E874FD28D3EDB25058D5C CA4B9ECF7DA8165FF5F2214D2A5FF165 F369B21121F75E043751C4C2F73F72A1 */ strings: $str22=”;$;(;,;0;4;8;” $str8=”0 0’0/04080<0e0″ $str46=”; ;$;(;,;0;4;8;” $str20=”<‘<,<0<4<Q<{<” $str28=”9-939G9h9″ $str0=”:’;L;f;k;” $str52=”7$70767C7P7i7″ $str30=”;&;.;6;>;F;Y;a;” $str5=”20040602152300″ $str24=”9.:5:E:m:|:” $str14=”?)?/?:?@?J?P?`?f?” $str2=”Content-Type: application/octet-stream” $str18=” /c del ” $str16=”$##$%^&*@@^&&*” $str37=”< <‘<,<0<4<Q<{<” $str12=”msserlog” $str54=”YYF;5@YA” $str6=”UNIQUAWI*” $str17=”0’0/04080<0e0″ $str43=”5&*$2#$5345^34″ $str7=”3,4f4l4}4″ $str42=”@$@%$#@%” $str29=”http://%s:%d/net/B%s/serinfo” $str4=”Referer: http://%s:%d/” $str10=”micosoft 6.1″ $str1=”8#9)9G9X9k9″ $str50=”accesopd” $str3=”http://%s:%d/” $str32=”:#:4:::J:Q:X:`:” $str23=”91989O9X9_9w9″ $str38=”1%101<1J1″ $str44=”^}%95P?A” $str15=”9 9-939G9h9″ $str21=”3,3?3F3X3`3p3″ $str53=”0(080?0F0Y0p0x0″ $str25=”P0=2H2P2c2i2″ $str33=”20040203151300″ $str45=”VirtualFreeEx” $str11=”7:7@7a7k7v7{7″ $str31=”2%2e2p2w2″ $str13=”StrRChrA” $str9=”StrToIntA” $str49=”%s http://about:blank” $str51=”http://about:blank” $str34=”>0?D?b?n?” $str40=”Shlwapi.dll” $str35=”8)83898|8″ $str19=”= =$=(=,=z=” $str47=”6’6-646>6W6_6d6p6u6″ $str26=”StubPath” $str41=”http://%s:%d/net/B%s/search%s.php” $str48=”=&>8>G>Y>” $str36=”=3=:=G=N=” $str39=”=$=(=,=z=” $str27=”micosoft” condition: 20 of them } rule agent_downloader { meta: author=”Chris Fry, CSIRT” comment=”cluster of 12 files from ONA, several AV define as Agent or Downloader” /* 0464045208C3F30AF52E94346A3D87FB 1305A5D01FB026F46F95D5AD050A8D7D 2F8DE4BB036EF267BE442590D7C9D1AC 48F575E70CE89A3272E0BB3E28378454 51FA035FD01515BF152ADE2874224152 6F78D52A1E566CB9E7FEAB5C12CA7BB1 726529E5CBC42C7D1FE98FD25B2B602A AC6C47DC07EDD15CB5641222268E2412 DCFBE3D4EEDE9D61F74ECBCE3E86E817 EFBE9D0C542B5CF1F666CBD4D0765789 F4EA2D95192FEB00CC28EC27A1DCDD63 FF5C80EEA41EE1BA0AAB749DBDA641B8 */ strings: $str36=”STARTDLG” $str13=”Overwrite” $str22=”kkkkkkkkkkkjhjjjo” $str26=”aaaaaaaaaaaaaaaaaaaaf~leQmux” $str1=”SavePath” $str29=”TempMode” $str34=”riched32.dll” $str15=”SHBrowseForFolderA” $str32=”RENAMEDLG” $str6=”RSTU0VWXYZH” $str17=”t Kt<Kt[” $str27=”3,45657879″ $str18=”%s.%d.tmp” $str35=”`O/f&Tnx” $str0=”GETPASSWORD1″ $str8=”FFFF))))))” $str24=”SHAutoComplete” $str30=”JJJJJJJJJJJJJJJJJJJaieQRamu” $str11=”RichEdit” $str12=”rrrrrrrrrrrrrppps” $str37=”%s %s %s” $str19=”RarHtmlClassName” $str4=”:(,4;<=>;?@” $str7=”ASKNEXTVOL” $str14=”Shortcut” $str9=”*messages***” $str28=”REPLACEFILEDLG” $str16=”This program must be run under Win32″ $str23=”8888888888{x7″ $str25=”LICENSEDLG” $str20=”Presetup” $str33=”M;Z4s+;Z,s” $str31=”8888888888887″ $str2=”D$`;D$T|” $str10=”D$,;D$0u” $str3=””””””””””DaJKHPam” $str21=”gwS37%w`” $str5=”IJKL=MNOPQ” condition: $str31 and 20 of them } rule unkown { meta: author=”Chris Fry, Cisco CSIRT” comment=”ssdeep cluster of 5 ONA files, no ID by AV” /* 2073EADE39F85605EDF6070D5C053FA6 2D7ED8CEC26A68F8EC67E1DCB4AA0660 3A178016398AC1015CEB35A521697DC2 6E6850CF011587BBBCD6E5302ACF9ACD E27B96FFF633438E3EC0736EB70231CD */ strings: $str0=”UUUUU]]]]]” $str1=”hhaveTRRRh” $str3=”@FTCF1@FTC” $str4=”h.exehorerhexplU” $str2=”hflyaTRRRh” condition: all of them } rule wykcores_dpd { meta: author=”Chris Fry, Cisco CSIRT” comment=”ssdeep cluster of 7 ONA files, ID’d as wykcores, known use by DPD” /* 1DAA3E392D1FEA79BADFBCD86D765D32 783E437D7C8944D57AB7A9A2C119D830 a46d6d26faa01b4130e6cbc5a959182b b435366446b19b2038d6b6330737aef0 bc1ebd773c2814630193db9fa1317905 d155340f05d74e375934f734d7116d1c f58133411b6a6229ba2a975487055462 */ strings: $str77=”CyWork-seh!!!” $str6=”ConvertSidToStringSidA” $str19=”0#0,03080>0Q0Z0x0~0″ $str56=”DoProxyHttp10(” $str40=”2!2,2?2G2l2t2″ $str39=”SysReAllocStringLen” $str27=”?!?G?S?[?” $str42=”6,7L7Y7f7″ $str97=”>6?:?>?B?F?J?N?” $str33=”EnumDeviceDrivers” $str47=”=#=/=<=N=” $str49=”75=>=I=N=V=^=” $str17=” HTTP/1.0″ $str99=”Extra-Data-Space: ” $str88=”<2<7<Y<t<” $str81=”0!0/0J0_0i0n0″ $str78=”EmptyWorkingSet” $str73=”=;=B=Z=|=” $str89=”8$8)84898>8I8N8S8^8c8h8s8x8}8″ $str18=”021;1a1n1″ $str10=”HTTP/1.0″ $str58=”8+80858J8O8|8″ $str67=”Extra-Data-Space:” $str92=”5&5.565>5F5N5V5^5f5n5v5~5″ $str87=”3’343F3S3_3l3~3″ $str5=”Runtime error at 00000000″ $str91=”9 9%90959:9E9J9O9Z9_9d9o9t9y9″ $str69=”GetDeviceDriverBaseNameW” $str62=”TServiceOnline” $str65=”CyDll.dll” $str41=”GetDeviceDriverFileNameW” $str31=”4&4.464>4F4N4V4^4f4n4v4~4″ $str80=”1%1)1C1L1U1f1p1z1″ $str35=”TSockProxy” $str64=”797>7u7z7″ $str11=”THOST_PORT_EX” $str98=”< <$<(<,<0<4<8<<<J<R<j<” $str16=”TZlibCompress” $str90=”DoProxyDirect(” $str12=”THOST_PORT_PROXY_EX” $str8=”;0;G;S;`;r;” $str63=”QueryWorkingSet” $str46=”9 9$9(9,9″ $str82=”TSockOptionSV” $str20=”default connect 127.0.0.1:8080!” $str24=”This program must be run under Win32″ $str94=”InitializeProcessForWsWatch” $str23=”GetMappedFileNameA” $str36=”setproxy[” $str30=”7&727@7N7″ $str44=”Connection: Keep-Alive” $str28=”Extra-Data:” $str83=”?I?R?Y?t?|?” $str54=”TSockHttpTunnel” $str14=”Content-Length: 0″ $str0=”sethostp[” $str95=”:&:::D:W:” $str29=”UnitCacheStream” $str2=”Extra-Data: ” $str50=”WSACleanup” $str26=”warring…” $str25=”CONNECT ” $str1=”UnitServiceFunctionU” $str4=”TServiceFunction” $str75=”Cache-Control: no-cache” $str9=”Content-length: 0″ $str100=”CyService” $str72=”Content-Type: text/html” $str86=”3%4C4O4W4″ $str59=”PSAPI.dll” $str3=”FPUMaskValue” $str66=”TUserInfo” $str51=”0,0@0L0l0x0|0″ $str71=”5+5D5]5n5″ $str13=”AdjustPrivilege fail!” $str32=”UnitServiceFunction” $str37=”GetDeviceDriverFileNameA” $str15=”Extra-Data-Bind:” $str57=”ServiceDll” $str101=”TCacheStream” $str74=”GetDeviceDriverBaseNameA” $str21=”GET HTTP://” $str55=”1_3!4K4X4e4r4″ $str53=”CyService Service” $str96=”DoProxySocks4(” $str45=”WideChar” $str76=”Proxy-Connection: Keep-Alive” $str61=”SeCreateTokenPrivilege” $str93=”SeTcbPrivilege” $str52=”3!3+31393?3E3L3V3″ $str34=”>(>8>=>G>[>” $str70=”SeAssignPrimaryTokenPrivilege” $str48=”8/8:8E8M8W8a8k8″ $str84=”TCriSectionSV” $str22=”Pragma: no-cache” $str38=”9 9&93999S9Z9d9n9x9″ $str43=”5O6[6h6z6″ $str68=”1K3W3d3v3|3″ $str79=”Accept: */*” $str7=”GetDiskFreeSpaceExA” $str85=”1’1,1k1p1″ $str60=”0-060B0I0″ condition: ($str53 or $str77) and 30 of them }

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *