18 Jan Using VirusTotal, please search for the following file hash: 1232366c104bdb6e42b04adb7eff4e08 Please analyze this sample (
3) Using VirusTotal, please search for the following file hash: 1232366c104bdb6e42b04adb7eff4e08
- Please analyze this sample (using both VT and the metadata in the attached text file) and write a YARA signature that contains unique strings that is likely to produce true positive results for threat hunting activities
- Here's an example of a rule template you can use when writing your rule:
- rule Leafminer { strings: $s1 = "Sorgu.exe" wide ascii $s2 = "https://iqhost.us:3389/" wide ascii condition: any of them }
You are encouraged to perform additional open source research on the topics of YARA and Leafminer as necessary to support your submission. Please provide a list of all external sources (URLs are sufficient) on the last page of your report.
ASCII Strings: ===================== This program cannot be run in DOS mode. .reloc v2.0.50727 Strings Sorgu.exe <Module> mscorlib Object System <>c__DisplayClass9_0 <>c__DisplayClass11_0 MainService CmdService System.ServiceProcess ServiceBase Program ProjectInstaller System.Configuration.Install Installer PoweredByAttribute SmartAssembly.Attributes Attribute _handle _timer System.Threading _counter <>9__6_0 RemoteCertificateValidationCallback System.Net.Security StringBuilder System.Text serviceProcessInstaller ServiceProcessInstaller serviceInstaller ServiceInstaller .cctor OnStart OnStop TimerElasped SendRequest Action WebClient System.Net action RunCmd argument GetKey EmptyWorkingSet hwProc psapi.dll InitializeComponent Process System.Diagnostics TimerCallback WebHeaderCollection HttpRequestHeader Component System.ComponentModel ProcessStartInfo Encoding ProcessWindowStyle DataReceivedEventHandler �Exception <.ctor>b__6_0 X509Certificate System.Security.Cryptography.X509Certificates X509Chain SslPolicyErrors errors <TimerElasped>b__0 client <TimerElasped>b__1 <RunCmd>g__DoEvent0 DataReceivedEventArgs ServiceAccount ServiceStartMode InstallerCollection AssemblyCompanyAttribute System.Reflection AssemblyProductAttribute ComVisibleAttribute System.Runtime.InteropServices NeutralResourcesLanguageAttribute System.Resources AssemblyFileVersionAttribute AssemblyCopyrightAttribute RuntimeCompatibilityAttribute System.Runtime.CompilerServices CompilationRelaxationsAttribute DebuggableAttribute DebuggingModes AssemblyDescriptionAttribute AssemblyTitleAttribute CompilerGeneratedAttribute RunInstallerAttribute String Invoke DateTime get_UtcNow get_Ticks Registry Microsoft.Win32 LocalMachine RegistryKey OpenSubKey ToString GetValue SetValue ServicePointManager set_ServerCertificateValidationCallback SetTcpKeepAlive GetCurrentProcess get_Handle Change Dispose IsNullOrEmpty get_Headers set_Item get_StartInfo set_UseShellExecute set_ErrorDialog set_RedirectStandardError set_RedirectStandardOutput set_RedirectStandardInput set_CreateNoWindow get_UTF8 �set_StandardErrorEncoding set_StandardOutputEncoding set_WindowStyle set_FileName Concat set_Arguments add_OutputDataReceived add_ErrorDataReceived BeginOutputReadLine WaitForExit get_Message set_AutoLog DownloadString GetBytes UploadData get_Data AppendLine set_Account set_Password set_Username set_Description set_DisplayName set_ServiceName set_StartType get_Installers AddRange Microsoft Corporation Microsoft Windows Operating System 6.1.7600.0 Microsoft Corporation. All rights reserved. WrapNonExceptionThrows Host Process for Windows Services Powered by SmartAssembly 6.11.1.354 _CorExeMain mscoree.dll xml version="1.0" encoding="UTF-8" standalone="yes" — Copyright (c) Microsoft Corporation –> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="5.1.0.0" processorArchitecture="amd64" name="Microsoft.Windows.Services.SvcHost" type="win32" <description>Host Process for Windows Services</description> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> </assembly> Unicode Strings: ===================== cmd.exe SOFTWAREClasses* Timespan https://adobe-flash.us:3389/ �Group Policy Manager gpmsvc The service is responsible for managing settings for the computer and users through the Group Policy component. If the service is disabled, the settings will not be manageable through Group Policy. Any components or applications that depend on the Group Policy component might not be functional if the service is disabled. VS_VERSION_INFO VarFileInfo Translation StringFileInfo 000004b0 Comments Host Process for Windows Services CompanyName Microsoft Corporation FileDescription Host Process for Windows Services FileVersion 6.1.7600.0 InternalName Sorgu.exe LegalCopyright Microsoft Corporation. All rights reserved. OriginalFilename Sorgu.exe ProductName Microsoft Windows Operating System ProductVersion 6.1.7600.0 Assembly Version 0.0.0.0 �
