Update APT_APT_27_Nov_2020_1.yar
This commit is contained in:
parent
385da2a254
commit
6e1ee529a9
@ -10,26 +10,26 @@ rule APT_APT_27_Nov_2020_1 {
|
|||||||
hash4 = "7de86f83f18c6c8ded0d75ab2f84f34ab115dd84d36b7e490e2bd456f77a78ce"
|
hash4 = "7de86f83f18c6c8ded0d75ab2f84f34ab115dd84d36b7e490e2bd456f77a78ce"
|
||||||
hash5 = "cc1455e3a479602581c1c7dc86a0e02605a3c14916b86817960397d5a2f41c31"
|
hash5 = "cc1455e3a479602581c1c7dc86a0e02605a3c14916b86817960397d5a2f41c31"
|
||||||
strings:
|
strings:
|
||||||
$s1 = "bypass_iptables" fullword ascii
|
$s1 = "PortforwardThread" fullword ascii
|
||||||
$s2 = "PortforwardThread" fullword ascii
|
$s2 = "bypass_iptables" fullword ascii
|
||||||
$s3 = "getfiles" fullword ascii
|
$s3 = "gethostbyname@@GLIBC_2.2.5" fullword ascii
|
||||||
$s4 = "<LIST><name><![CDATA[%s]]></name><type>%o</type><perm>%o</perm><user>%s:%s</user><size>%llu</size><time>%s</time></LIST>" fullword ascii
|
$s4 = "getfiles" fullword ascii
|
||||||
$s5 = "portforward.c" fullword ascii
|
$s5 = "<LIST><name><![CDATA[%s]]></name><type>%o</type><perm>%o</perm><user>%s:%s</user><size>%llu</size><time>%s</time></LIST>" fullword ascii
|
||||||
$s6 = "LOGNAME=root" fullword ascii
|
$s6 = "portforward.c" fullword ascii
|
||||||
$s7 = "xorkeys" fullword ascii
|
$s7 = "execve@@GLIBC_2.2.5" fullword ascii
|
||||||
$s8 = "USERNAME=root" fullword ascii
|
$s8 = "LOGNAME=root" fullword ascii
|
||||||
$s9 = "PortMapThread" fullword ascii
|
$s9 = "xorkeys" fullword ascii
|
||||||
$s10 = "USER=root" fullword ascii
|
$s10 = "PortMapThread" fullword ascii
|
||||||
$s11 = "encrypt_pty" fullword ascii
|
$s11 = "USER=root" fullword ascii
|
||||||
$s12 = "encrypt_code" fullword ascii
|
$s12 = "USERNAME=root" fullword ascii
|
||||||
$s13 = "DownFile" fullword ascii
|
$s13 = "getpid@@GLIBC_2.2.5" fullword ascii
|
||||||
$s14 = "get_randstr" fullword ascii
|
$s14 = "encrypt.c" fullword ascii
|
||||||
$s15 = "PtyShell" fullword ascii
|
$s15 = "DownFile" fullword ascii
|
||||||
$s16 = "encrypt.c" fullword ascii
|
$s16 = "fgets@@GLIBC_2.2.5" fullword ascii
|
||||||
$s17 = "ReConnect" fullword ascii
|
$s17 = "encrypt_pty" fullword ascii
|
||||||
$s18 = "saferecv" fullword ascii
|
$s18 = "getgrgid@@GLIBC_2.2.5" fullword ascii
|
||||||
$s19 = "sendudp" fullword ascii
|
$s19 = "ReConnect" fullword ascii
|
||||||
$s20 = "safesend" fullword ascii
|
$s20 = "getsockopt@@GLIBC_2.2.5" fullword ascii
|
||||||
condition:
|
condition:
|
||||||
uint16(0) == 0x7f45 and filesize > 25KB and 12 of ($s*)
|
uint16(0) == 0x457f and filesize > 20KB and 12 of them
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user