2024-06-20 09:42:34 +00:00
|
|
|
id: evilbamboo-malware-hash
|
2024-06-19 10:13:35 +00:00
|
|
|
info:
|
2024-06-20 09:42:34 +00:00
|
|
|
name: EvilBamboo Malware Hash - Detect
|
2024-06-19 10:13:35 +00:00
|
|
|
author: pussycat0x
|
|
|
|
severity: info
|
|
|
|
description: |
|
|
|
|
Detection of the BADSOLAR and BADBAZAAR data collection files, which are shared by both malware families.
|
|
|
|
reference:
|
|
|
|
- https://github.com/volexity/threat-intel/blob/main/2023/2023-09-22%20EvilBamboo/indicators/rules.yar
|
|
|
|
- https://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine
|
|
|
|
tags: malware,evilbamboo
|
|
|
|
|
|
|
|
file:
|
|
|
|
- extensions:
|
|
|
|
- all
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
- type: dsl
|
|
|
|
dsl:
|
|
|
|
- "sha256(raw) == '8448f5cf984e9871966893f0604d9b6d70672c38ff1138a03377848b85a5fcaf'"
|
|
|
|
- "sha256(raw) == 'bf5f7fbf42236e89bcf663d2822d54bee89abaf3f247a54f371bf156e0e03629'"
|
|
|
|
- "sha256(raw) == '8448f5cf984e9871966893f0604d9b6d70672c38ff1138a03377848b85a5fcaf'"
|
|
|
|
- "sha256(raw) == 'f7132750db2a8ca8eb9e9e5a32377aa506395d02bacbb918f835041f5f035c4c'"
|
|
|
|
- "sha256(raw) == 'daf3d2cb6f1bbb7c8d1cfb5fc0db23afc304a622ebb24aa940228be691bcda2b'"
|
|
|
|
- "sha256(raw) == '549d726fe2b775cfdd1304c2d689dfd779731336a3143225dc3c095440f69ed0'"
|
|
|
|
- "sha256(raw) == '0fea799ce00c7d6f26ccb52a2ecbe6b9605cfb9910f2a309a841caedf3b102d7'"
|
|
|
|
- "sha256(raw) == 'f0bf154d1e90491199b66ab95c1a4071669f3322c55f3643e36c20a9fb63eb56'"
|
|
|
|
- "sha256(raw) == '549d726fe2b775cfdd1304c2d689dfd779731336a3143225dc3c095440f69ed0'"
|
|
|
|
- "sha256(raw) == '6aefc2b33e23f6e3c96de51d07f7123bd23ff951d67849a9bd32d446e76fb405'"
|
|
|
|
- "sha256(raw) == 'bf5f7fbf42236e89bcf663d2822d54bee89abaf3f247a54f371bf156e0e03629'"
|
|
|
|
- "sha256(raw) == 'fa9154eaa3df4ff4464b21c45362fd1c7fb5e68108ab350c05f2ca9f60263988'"
|
|
|
|
- "sha256(raw) == 'c5e8476fc6938a36438a433b48e80213e2251b1d4b20a9469912d628a86198b3'"
|
|
|
|
- "sha256(raw) == '28560642fe99b3e611510f5559a12eb41112f3e2b3005432f7343cb79ff47a34'"
|
|
|
|
- "sha256(raw) == '7995c382263f8dbbfc37a9d62392aef8b4f89357d436b3dd94dea842f9574ecf'"
|
|
|
|
- "sha256(raw) == 'efea95720853e0cd2d9d4e93a64a726cfe17efea7b17af7c4ae6d3a6acae5b30'"
|
|
|
|
condition: or
|
2024-06-21 10:04:41 +00:00
|
|
|
# digest: 4a0a0047304502206d8e6848dc4301823b8e130856dbe24d08992b76845f62f3714c1616a1132640022100b6f74f98ddbd5421cb7228f6f2a457ce927e5d388f36b2296286d137d7eb74ed:922c64590222798bb761d5b6d8e72950
|