From a16560e1bf4452991a12eb50cec30f4e845476c9 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 20 Jun 2024 15:31:03 +0530 Subject: [PATCH] Update and rename upstyle-malware.yaml to upstyle-malware-hash.yaml --- file/malware/upstyle-malware-hash.yaml | 21 +++++++++++++++++ file/malware/upstyle-malware.yaml | 31 -------------------------- 2 files changed, 21 insertions(+), 31 deletions(-) create mode 100644 file/malware/upstyle-malware-hash.yaml delete mode 100644 file/malware/upstyle-malware.yaml diff --git a/file/malware/upstyle-malware-hash.yaml b/file/malware/upstyle-malware-hash.yaml new file mode 100644 index 0000000000..dddcd0706d --- /dev/null +++ b/file/malware/upstyle-malware-hash.yaml @@ -0,0 +1,21 @@ +id: upstyle-malware-hash +info: + name: Upstyle Malware Hash - Detect + author: Kazgangap + severity: info + reference: + - https://unit42.paloaltonetworks.com/cve-2024-3400/ + - https://github.com/volexity/threat-intel/blob/main/2024/2024-04-12%20Palo%20Alto%20Networks%20GlobalProtect/indicators/rules.yar + tags: malware,cve2024 + +file: + - extensions: + - all + + matchers: + - type: dsl + dsl: + - "sha256(raw) == '3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac'" + - "sha256(raw) == '0d59d7bddac6c22230187ef6cf7fa22bca93759edc6f9127c41dc28a2cea19d8'" + - "sha256(raw) == '4dd4bd027f060f325bf6a90d01bfcf4e7751a3775ad0246beacc6eb2bad5ec6f'" + condition: or diff --git a/file/malware/upstyle-malware.yaml b/file/malware/upstyle-malware.yaml deleted file mode 100644 index fab6017d8d..0000000000 --- a/file/malware/upstyle-malware.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: upstyle-py-malware -info: - name: Upstyle Malware - Detect - author: Kazgangap - severity: info - reference: - - https://unit42.paloaltonetworks.com/cve-2024-3400/ - - https://github.com/volexity/threat-intel/blob/main/2024/2024-04-12%20Palo%20Alto%20Networks%20GlobalProtect/indicators/rules.yar - tags: malware,cve-2024-3400 -file: - - extensions: - - "py" - - matchers: - - type: word - part: raw - words: - - "/opt/pancfg/mgmt/licenses/PA_VM" - - "exec(base64." - condition: or - - - type: word - part: raw - words: - - "signal.signal(signal.SIGTERM,stop)" - - "exec(base64." - condition: or - - - type: regex - regex: - - "write(\"/*\"+output+\"*/\")" \ No newline at end of file