Update MALW_Mirai_Okiru_ELF.yar

a35f509f · unixfreaxjp · GitHub · 2577beea · a35f509f
Unverified Commit a35f509f authored Jan 09, 2018 by unixfreaxjp Committed by GitHub Jan 09, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

MALW_Mirai_Okiru_ELF.yar malware/MALW_Mirai_Okiru_ELF.yar +3 -2

No files found.
--- a/malware/MALW_Mirai_Okiru_ELF.yar
+++ b/malware/MALW_Mirai_Okiru_ELF.yar
@@ -18,6 +18,7 @@ private rule is__Mirai_gen7 {
        	$st04 = "/bin/busybox tftp" fullword nocase wide ascii
        	$st05 = "/bin/busybox cp" fullword nocase wide ascii
        	$st06 = "/bin/busybox chmod" fullword nocase wide ascii
+		$st07 = "/bin/busybox cat" fullword nocase wide ascii

 	condition:
        	5 of them
@@ -43,9 +44,9 @@ rule Mirai_Okiru {
 	strings:
 		$hexsts01 = { 68 7f 27 70 60 62 73 3c 27 28 65 6e 69 28 65 72 }
 		$hexsts02 = { 74 7e 65 68 7f 27 73 61 73 77 3c 27 28 65 6e 69 }
-		// noted for some variant doesnt have below: 
+		// noted some Okiru variant doesnt have below function, uncomment to seek specific x86 bins
    // $st07 = "iptables -F\n" fullword nocase wide ascii
-
+    
 	condition:
    all of them
 		and is__elf