rule win_graphical_neutrino_w0 {

    meta:
        author = "Military Counterlintelligence Service and CERT.PL"
        date = "2023-04-13"
        description = "Detects win.graphical_neutrino."
        source = "https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphical_neutrino"
        malpedia_rule_date = "20230601"
        malpedia_hash = ""
        malpedia_version = "20230601"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        // Payload decryption loop
        // Custom algorithm based on XOR
        $op_decrypt_payload = {49 8B 45 08 48 ?? ?? ?? 48 39 ?? 76 2B 48 89 C8 31 D2 4C 8B 4C 24 ?? 48 F7 74 24 ?? 49 8B 45
        00 41 8A 14 11 32 54 08 10 89 C8 41 0F AF C0 31 C2 88 14 0B 48 FF C1}
        // Decryption routine generated by Obfuscate library
        $op_decrypt_string = {48 39 D0 74 19 48 89 C1 4D 89 C2 83 E1 07 48 C1 E1 03 49 D3 EA 45 30 14 01 48 FF C0 EB E2}
        // Hardcoded inital value used as beaconing counter
        $op_initialize_emoji = {C6 [3] A5 66 [4] F0 9F}
        // src/json.hpp - string left in binary using nlohmann JSON
        $str_nlohmann = {73 72 63 2F 6A 73 6F 6E 2E 68 70 70 00}
    condition:
        uint16(0) == 0x5A4D
        and
         filesize < 500KB
        and
         $str_nlohmann
        and
         $op_decrypt_string
        and
         ($op_initialize_emoji or $op_decrypt_payload)
}