id: godzilla-webshell-hash
info:
  name: Godzilla Webshell Hash - Detect
  author: pussycat0x
  severity: info
  description: Detects the JSP implementation of the Godzilla Webshell.
  reference:
    - https://github.com/volexity/threat-intel/blob/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925/yara.yar
    - https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
  tags: malware,webshells

file:
  - extensions:
      - all

    matchers:
      - type: dsl
        dsl:
          - "sha256(raw) == '2786d2dc738529a34ecde10ffeda69b7f40762bf13e7771451f13a24ab7fc5fe'"
# digest: 4b0a00483046022100ef923e9e696242b4b131011cefeea985b6ff2d5a336f3d987fd240f9717ee34f022100f563f8d4f335a993968b3e542f5f944381f033939dcf870a4b823414fc9f1eab:922c64590222798bb761d5b6d8e72950