TrojanDownloader:Win32/Eterock.A - Windows Defender Threat Analysis

This is a concrete detection of TrojanDownloader:Win32/Eterock.A, a severe trojan downloader specifically linked to the EternalRocks worm. This threat is designed to exploit vulnerabilities (like those related to EternalBlue) to spread, establish persistence, and download and execute further malicious payloads.

Relevant strings associated with this threat:
 - .shadowbrokers.zip (PEHSTR_EXT)
 - EternalRocks.exe (PEHSTR_EXT)

rule TrojanDownloader_Win32_Eterock_A_2147721503_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "TrojanDownloader:Win32/Eterock.A"
        threat_id = "2147721503"
        type = "TrojanDownloader"
        platform = "Win32: Windows 32-bit platform"
        family = "Eterock"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "4"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "\\svchost.exe" wide //weight: 1
        $x_1_2 = "\\TaskScheduler" wide //weight: 1
        $x_1_3 = "Finished MkDir Temp" wide //weight: 1
        $x_1_4 = "\\required.glo" wide //weight: 1
        $x_1_5 = "\\dotnetfx.exe /q:a /c:" wide //weight: 1
    condition:
        (filesize < 20MB) and
        (4 of ($x*))
}

Immediately isolate the affected system from the network. Perform a full system scan with updated antivirus software (e.g., Windows Defender) to remove all detected threats. Ensure all operating systems and applications are fully patched, particularly against known SMB vulnerabilities (e.g., MS17-010), to prevent reinfection and propagation.