2024-06-20 09:42:34 +00:00
|
|
|
id: godzilla-webshell-hash
|
2024-06-19 10:13:35 +00:00
|
|
|
info:
|
2024-06-20 09:42:34 +00:00
|
|
|
name: Godzilla Webshell Hash - Detect
|
2024-06-19 10:13:35 +00:00
|
|
|
author: pussycat0x
|
|
|
|
severity: info
|
|
|
|
description: Detects the JSP implementation of the Godzilla Webshell.
|
|
|
|
reference:
|
|
|
|
- https://github.com/volexity/threat-intel/blob/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925/yara.yar
|
|
|
|
- https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
|
|
|
|
tags: malware,webshells
|
|
|
|
|
|
|
|
file:
|
|
|
|
- extensions:
|
|
|
|
- all
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
- type: dsl
|
|
|
|
dsl:
|
2024-06-21 10:04:41 +00:00
|
|
|
- "sha256(raw) == '2786d2dc738529a34ecde10ffeda69b7f40762bf13e7771451f13a24ab7fc5fe'"
|
|
|
|
# digest: 4b0a00483046022100ef923e9e696242b4b131011cefeea985b6ff2d5a336f3d987fd240f9717ee34f022100f563f8d4f335a993968b3e542f5f944381f033939dcf870a4b823414fc9f1eab:922c64590222798bb761d5b6d8e72950
|