Skip to content

R
rules
Switch branch/tag
Find file
BlameHistoryPermalink
MALW_Magento_suspicious.yar 2.21 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/
/*
ref : https://github.com/gwillem/magento-malware-scanner/
author : https://github.com/gwillem

*/

rule fromCharCode_in_unicode {
    strings: 
        $ = "\\u0066\\u0072\\u006f\\u006d\\u0043\\u0068\\u0061\\u0072\\u0043\\u006f\\u0064\\u0065"
    condition: 
        any of them and filesize < 500KB
}
rule function_through_object {
    strings: 
        $ = "['eval']"
        $ = "['unescape']"
        $ = "['charCodeAt']"
        $ = "['fromCharCode']"
    condition: 
        any of them and filesize < 500KB
}
rule hex_script {
    strings:
        $ = "\\x73\\x63\\x72\\x69\\x70\\x74\\x22"
    condition: 
        any of them and filesize < 500KB
}

rule php_malfunctions {
    strings:
        $ = "eval("
        $ = "gzinflate("
        $ = "str_rot13("
        $ = "base64_decode("
    condition: 
        3 of them and filesize < 500KB
}

rule php_obf_malfunctions {
    strings:
        $ = "eval(base64_decode"
        $ = "eval(gzinflate"
        $ = "str_rot13(base64_decode"
    condition: 
        any of them and filesize < 500KB
}
        
rule fopo_obfuscator {
    strings:
        $ = "www.fopo.com.ar"
    condition: 
        any of them and filesize < 500KB
}

rule obf_base64_decode {
    strings: 
        $ = "\\x62\\x61\\x73\\145\\x36\\x34\\x5f\\x64\\x65\\143\\x6f\\144\\145"
    condition: 
        any of them and filesize < 500KB
}

rule html_upload {
    strings: 
        $ = "<input type='submit' name='upload' value='upload'>"
        $ = "if($_POST['upload'])"
    condition: 
        any of them and filesize < 500KB
}

rule php_uname {
    strings: 
        $ = "php_uname()"
    condition: 
        any of them and filesize < 500KB
}

rule scriptkiddies {
    strings:
        $ = "lastc0de@Outlook.com" nocase
        $ = "CodersLeet" nocase
        $ = "AgencyCaFc" nocase
        $ = "IndoXploit" nocase
        $ = "Kapaljetz666" nocase
    condition: 
        any of them and filesize < 500KB
}

rule eval_with_comments {
	strings:
		$ = /(^|\s)eval\s*\/\*.{,128}\*\/\s*\(/
	condition: 
        any of them and filesize < 500KB
}