id: godzilla-webshell-hash info: name: Godzilla Webshell Hash - Detect author: pussycat0x severity: info description: Detects the JSP implementation of the Godzilla Webshell. reference: - https://github.com/volexity/threat-intel/blob/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925/yara.yar - https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ tags: malware,webshells file: - extensions: - all matchers: - type: dsl dsl: - "sha256(raw) == '2786d2dc738529a34ecde10ffeda69b7f40762bf13e7771451f13a24ab7fc5fe'" # digest: 4b0a00483046022100ef923e9e696242b4b131011cefeea985b6ff2d5a336f3d987fd240f9717ee34f022100f563f8d4f335a993968b3e542f5f944381f033939dcf870a4b823414fc9f1eab:922c64590222798bb761d5b6d8e72950