Skip to content

Commit

Permalink
requested tweaks to description
Browse files Browse the repository at this point in the history
  • Loading branch information
mthaxton committed Feb 2, 2024
1 parent fd8de65 commit 81e92ff
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 12 deletions.
4 changes: 2 additions & 2 deletions packs/win_malware.conf
Original file line number Diff line number Diff line change
Expand Up @@ -788,7 +788,7 @@
"query": "SELECT object_name, object_type from winbaseobj WHERE object_type='Mutant' AND (object_name='ThreadMutex12453' OR object_name='3e603a07-7b2d-4a15-afef-7e9a0841e4d5' OR object_name like 'rrx_%' OR object_name='6c2711b5-e736-4397-a883-0d181a3f85ae');",
"interval": 86400,
"snapshot": true,
"description": "The Zardoor backdoor components were written to disk and executed. Zardoor is a custom remote access tool notably used by Threat Actors to maintain remote access on the system. Once successfully executed, Zardoor can be used to execute arbitrary commands, interact with the file system, and connect to other systems on the local network.",
"description": "Zardoor backdoor components were written to disk and executed. Zardoor is a custom remote access tool (RAT) notably used by threat actors to maintain unauthorized access on the infected system. Once successfully executed, Zardoor can be used to execute arbitrary commands, interact with the file system, and connect to other systems on the local network.",
"platform": [
"windows"
]
Expand All @@ -797,7 +797,7 @@
"query": "SELECT f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime,'unixepoch','UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path = h.path WHERE (f.filename = 'oci.dll' OR f.filename = 'zor32.dll' OR f.filename = 'zar32.dll') AND f.directory = 'C:\\Windows\\System32';",
"interval": 86400,
"snapshot": true,
"description": "The Zardoor backdoor components were written to disk and executed. Zardoor is a custom remote access tool notably used by Threat Actors to maintain remote access on the system. Once successfully executed, Zardoor can be used to execute arbitrary commands, interact with the file system, and connect to other systems on the local network.",
"description": "Zardoor backdoor components were written to disk and executed. Zardoor is a custom remote access tool (RAT) notably used by threat actors to maintain unauthorized access on the infected system. Once successfully executed, Zardoor can be used to execute arbitrary commands, interact with the file system, and connect to other systems on the local network.",
"platform": [
"windows"
]
Expand Down
10 changes: 5 additions & 5 deletions win_malware/zardoor_modules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@ Zardoor Modules:
WHERE (f.filename = "oci.dll" OR f.filename = "zor32.dll" OR f.filename = "zar32.dll") AND f.directory = "C:\Windows\System32";
interval: 86400
snapshot: true
description: The Zardoor backdoor components were written to disk and executed.
Zardoor is a custom remote access tool notably used by Threat Actors to maintain remote
access on the system. Once successfully executed, Zardoor can be used to execute
arbitrary commands, interact with the file system, and connect to other systems
on the local network.
description: Zardoor backdoor components were written to disk and executed. Zardoor
is a custom remote access tool (RAT) notably used by threat actors to maintain
unauthorized access on the infected system. Once successfully executed, Zardoor
can be used to execute arbitrary commands, interact with the file system, and
connect to other systems on the local network.
references:
- c6419df4bbda5b75ea4a0b8e8acd2100b149443584390c91a218e7735561ef74
- f71f7c68209ea8218463df397e5c39ef5f916f138dc001feb3a60ef585bd2ac2
Expand Down
10 changes: 5 additions & 5 deletions win_malware/zardoor_mutex.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@ Zardoor Mutex:
WHERE object_type = "Mutant" AND (object_name = "ThreadMutex12453" OR object_name = "3e603a07-7b2d-4a15-afef-7e9a0841e4d5" OR object_name like "rrx_%" OR object_name = "6c2711b5-e736-4397-a883-0d181a3f85ae");
interval: 86400
snapshot: true
description: The Zardoor backdoor components were written to disk and executed.
Zardoor is a custom remote access tool notably used by Threat Actors to maintain remote
access on the system. Once successfully executed, Zardoor can be used to execute
arbitrary commands, interact with the file system, and connect to other systems
on the local network.
description: Zardoor backdoor components were written to disk and executed. Zardoor
is a custom remote access tool (RAT) notably used by threat actors to maintain
unauthorized access on the infected system. Once successfully executed, Zardoor
can be used to execute arbitrary commands, interact with the file system, and
connect to other systems on the local network.
references:
- c6419df4bbda5b75ea4a0b8e8acd2100b149443584390c91a218e7735561ef74
- f71f7c68209ea8218463df397e5c39ef5f916f138dc001feb3a60ef585bd2ac2
Expand Down

0 comments on commit 81e92ff

Please sign in to comment.