PHP and ASPX China Chopper

Signed-off-by: Ryan B <randomrhythm@rhythmengineering.com>

PHP and ASPX China Chopper
Signed-off-by: Ryan B <randomrhythm@rhythmengineering.com>
51be7dbf · Ryan B · f1ea16a6 · 51be7dbf
Commit 51be7dbf authored Feb 27, 2021 by Ryan B
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 0 deletions

WShell_ChinaChopper.yar webshells/WShell_ChinaChopper.yar +31 -0

No files found.
--- a/webshells/WShell_ChinaChopper.yar
+++ b/webshells/WShell_ChinaChopper.yar
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+rule webshell_ChinaChopper_aspx
+{
+  meta:
+    author      = "Ryan Boyle randomrhythm@rhythmengineering.com"
+    date        = "2020/10/28"
+    description = "Detect China Chopper ASPX webshell"
+    reference1  = "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html"
+    filetype    = "aspx"
+  strings:
+	$ChinaChopperASPX = {25 40 20 50 61 67 65 20 4C 61 6E 67 75 61 67 65 3D ?? 4A 73 63 72 69 70 74 ?? 25 3E 3C 25 65 76 61 6C 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-100] 75 6E 73 61 66 65}
+  condition:
+	$ChinaChopperASPX
+}
+
+rule webshell_ChinaChopper_php
+{
+  meta:
+    author      = "Ryan Boyle randomrhythm@rhythmengineering.com"
+    date        = "2020/10/29"
+    description = "Detect China Chopper PHP webshell"
+    reference1  = "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html"
+    filetype    = "php"
+  strings:
+	$ChinaChopperPHP = {3C 3F 70 68 70 20 40 65 76 61 6C 28 24 5F 50 4F 53 54 5B ?? 70 61 73 73 77 6F 72 64 ?? 5D 29 3B 3F 3E}
+  condition:
+	$ChinaChopperPHP
+}