Update and rename upstyle-malware.yaml to upstyle-malware-hash.yaml

2024-06-20 15:31:03 +05:30 · 2024-06-20 15:31:03 +05:30 · a16560e1bf
parent 2d9541628e
commit a16560e1bf
2 changed files with 21 additions and 31 deletions
--- a/file/malware/upstyle-malware-hash.yaml
+++ b/file/malware/upstyle-malware-hash.yaml
@ -0,0 +1,21 @@
+id: upstyle-malware-hash
+info:
+  name: Upstyle Malware Hash - Detect
+  author: Kazgangap
+  severity: info
+  reference:
+    - https://unit42.paloaltonetworks.com/cve-2024-3400/
+    - https://github.com/volexity/threat-intel/blob/main/2024/2024-04-12%20Palo%20Alto%20Networks%20GlobalProtect/indicators/rules.yar
+  tags: malware,cve2024
+
+file:
+  - extensions:
+      - all
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "sha256(raw) == '3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac'"
+          - "sha256(raw) == '0d59d7bddac6c22230187ef6cf7fa22bca93759edc6f9127c41dc28a2cea19d8'"
+          - "sha256(raw) == '4dd4bd027f060f325bf6a90d01bfcf4e7751a3775ad0246beacc6eb2bad5ec6f'"
+        condition: or
--- a/file/malware/upstyle-malware.yaml
+++ b/file/malware/upstyle-malware.yaml
@ -1,31 +0,0 @@
-id: upstyle-py-malware
-info:
-  name: Upstyle Malware - Detect
-  author: Kazgangap
-  severity: info
-  reference:
-    - https://unit42.paloaltonetworks.com/cve-2024-3400/
-    - https://github.com/volexity/threat-intel/blob/main/2024/2024-04-12%20Palo%20Alto%20Networks%20GlobalProtect/indicators/rules.yar
-  tags: malware,cve-2024-3400
-file:
-  - extensions:
-      - "py"
-
-    matchers:
-      - type: word
-        part: raw
-        words:
-          - "/opt/pancfg/mgmt/licenses/PA_VM"
-          - "exec(base64."
-        condition: or
-
-      - type: word
-        part: raw
-        words:
-          - "signal.signal(signal.SIGTERM,stop)"
-          - "exec(base64."
-        condition: or
-
-      - type: regex
-        regex:
-          - "write(\"/*\"+output+\"*/\")"