Email
rule G_Downloader_GOLDVEIN_JAVA_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $chunk1 = "175,121,73" base64 $chunk2 = "249,254,255" base64 $chunk3 = "235,176,29" base64 $chunk4 = "242,61,32" base64 $chunk5 = "189,66,134" base64 $str1 = "java.net.Socket(h,443)" base64 $str2 = "TLSv3.1" base64 $decoded1 = "[175,121,73,249,254,255,235,176,29,242,61,32,189,66,134,102,56,208,18,10,132,242,223,202,90,97,118,3,83,136,84,213]" $decoded2 = "java.net.Socket(h,443)" $decoded3 = "TLSv3.1" condition: (3 of ($chunk*) and all of ($str*)) or all of ($decoded*) }rule G_Dropper_SAGEGIFT_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $str1 = "ServletRequestImpl" base64 $str2 = "getServletRequest" base64 $str3 = "ServletResponseImpl" base64 $str4 = "dc=cl.getDeclaredMethod('defineClass',[cb,ci,ci])" base64 $decoded1 = "ServletRequestImpl" $decoded2 = "getServletRequest" $decoded3 = "ServletResponseImpl" $decoded4 = "dc=cl.getDeclaredMethod('defineClass',[cb,ci,ci])" condition: all of ($str*) or all of ($decoded*) }rule G_Dropper_SAGELEAF_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $log1 = "n1=%d n2=%d" $log2 = "ctx.l=%d" $log3 = "Filter=" fullword $pat = "/help/*" $s1 = "weblogic.t3.srvr.ServerRuntime" $s2 = "gzipDecompress" $s3 = "BASE64Decoder" $s4 = "getDeclaredMethod" condition: 2 of ($log*) and 5 of them }rule G_Launcher_SAGEWAVE_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "Log4jConfigQpgsubFilter" $s2 = ".Cli" fullword $s3 = "httpReq" fullword $s4 = "AES/CBC/NoPadding" $s5 = "javax/servlet/FilterChain" $s6 = "java/lang/reflect/Method" condition: 4 of ($s*) and filesize < 1MB }