Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
1c56ba9b
Commit
1c56ba9b
authored
May 08, 2017
by
j0sm1
Committed by
GitHub
May 08, 2017
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update MALW_Mirai.yar
We have added more Mirai rules from @joanbtl
parent
f9de8c15
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
122 additions
and
0 deletions
+122
-0
MALW_Mirai.yar
malware/MALW_Mirai.yar
+122
-0
No files found.
malware/MALW_Mirai.yar
View file @
1c56ba9b
...
...
@@ -165,3 +165,125 @@ rule Mirai_SPARC_MSB : MALW
( $miname and $iptables1 and $iptables2 and $procnet ) and
hash.sha1(0,filesize) == "3d770480b6410cba39e19b3a2ff3bec774cabe47"
}
rule Mirai_1 : MALW
{
meta:
description = "Mirai Variant 1"
author = "Joan Soriano / @joanbtl"
date = "2017-04-16"
version = "1.0"
MD5 = "655c3cf460489a7d032c37cd5b84a3a8"
SHA1 = "4dd3803956bc31c8c7c504734bddec47a1b57d58"
strings:
$dir1 = "/dev/watchdog"
$dir2 = "/dev/misc/watchdog"
$pass1 = "PMMV"
$pass2 = "FGDCWNV"
$pass3 = "OMVJGP"
condition:
$dir1 and $pass1 and $pass2 and not $pass3 and not $dir2
}
rule Mirai_2 : MALW
{
meta:
description = "Mirai Variant 2"
author = "Joan Soriano / @joanbtl"
date = "2017-04-16"
version = "1.0"
MD5 = "0e5bda9d39b03ce79ab8d421b90c0067"
SHA1 = "96f42a9fad2923281d21eca7ecdd3161d2b61655"
strings:
$dir1 = "/dev/watchdog"
$dir2 = "/dev/misc/watchdog"
$s1 = "PMMV"
$s2 = "ZOJFKRA"
$s3 = "FGDCWNV"
$s4 = "OMVJGP"
condition:
$dir1 and $dir2 and $s1 and $s2 and $s3 and not $s4
}
rule Mirai_3 : MALW
{
meta:
description = "Mirai Variant 3"
author = "Joan Soriano / @joanbtl"
date = "2017-04-16"
version = "1.0"
MD5 = "bb22b1c921ad8fa358d985ff1e51a5b8"
SHA1 = "432ef83c7692e304c621924bc961d95c4aea0c00"
strings:
$dir1 = "/dev/watchdog"
$dir2 = "/dev/misc/watchdog"
$s1 = "PMMV"
$s2 = "ZOJFKRA"
$s3 = "FGDCWNV"
$s4 = "OMVJGP"
$ssl = "ssl3_ctrl"
condition:
$dir1 and $dir2 and $s1 and $s2 and $s3 and $s4 and not $ssl
}
rule Mirai_4 : MALW
{
meta:
description = "Mirai Variant 4"
author = "Joan Soriano / @joanbtl"
date = "2017-04-16"
version = "1.0"
MD5 = "f832ef7a4fcd252463adddfa14db43fb"
SHA1 = "4455d237aadaf28aafce57097144beac92e55110"
strings:
$s1 = "210765"
$s2 = "qllw"
$s3 = ";;;;;;"
condition:
$s1 and $s2 and $s3
}
rule Mirai_Dwnl : MALW
{
meta:
description = "Mirai Downloader"
author = "Joan Soriano / @joanbtl"
date = "2017-04-16"
version = "1.0"
MD5 = "85784b54dee0b7c16c57e3a3a01db7e6"
SHA1 = "6f6c625ef730beefbc23c7f362af329426607dee"
strings:
$s1 = "GET /mirai/"
$s2 = "dvrHelper"
condition:
$s1 and $s2
}
rule Mirai_5 : MALW
{
meta:
description = "Mirai Variant 5"
author = "Joan Soriano / @joanbtl"
date = "2017-04-16"
version = "1.0"
MD5 = "7e17c34cddcaeb6755c457b99a8dfe32"
SHA1 = "b63271672d6a044704836d542d92b98e2316ad24"
strings:
$dir1 = "/dev/watchdog"
$dir2 = "/dev/misc/watchdog"
$s1 = "PMMV"
$s2 = "ZOJFKRA"
$s3 = "FGDCWNV"
$s4 = "OMVJGP"
$ssl = "ssl3_ctrl"
condition:
$dir1 and $dir2 and $s1 and $s2 and $s3 and $s4 and $ssl
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
