Feature Preparation
/* ------------------------------------------------------------- * Generic FC2‑PPV malicious archive family * ------------------------------------------------------------- */ rule FC2_PPV_Archive meta: description = "Detects files dropped from the FC2‑PPV‑4512638 RAR series" author = "Your Name" date = "2026-04-16" reference = "internal-analysis-2026-04-16" strings: $fn1 = "FC2-PPV-" nocase $url = /https?:\/\/[a-z0-9-]5,\.example\.com\/[a-z0-9]8,/ $reg = /Run\\.*FC2-PPV/ $packed = 60 8B ?? ?? ?? 83 C4 ?? 5F 5E 5D C3 condition: any of ($fn1, $url, $reg, $packed)
- Compute hashes of each extracted file (
sha256sum * > extracted_hashes.txt). - Compare file sizes against the archive list.
static and dynamic malware analysis
The outline is deliberately generic so that you can fill in the actual observations you obtain while working with the file. It covers the most common stages of a (or, more generally, any suspicious archive) and points out the tools, commands, and artefacts you’ll want to capture at each step.