Skip to content

R
rules
Unverified Commit a35f509f by unixfreaxjp Committed by GitHub
Options

Update MALW_Mirai_Okiru_ELF.yar

parent 2577beea
Showing with 3 additions and 2 deletions
malware/MALW_Mirai_Okiru_ELF.yar
...@@ -18,6 +18,7 @@ private rule is__Mirai_gen7 { ...@@ -18,6 +18,7 @@ private rule is__Mirai_gen7 {
$st04 = "/bin/busybox tftp" fullword nocase wide ascii $st04 = "/bin/busybox tftp" fullword nocase wide ascii
$st05 = "/bin/busybox cp" fullword nocase wide ascii $st05 = "/bin/busybox cp" fullword nocase wide ascii
$st06 = "/bin/busybox chmod" fullword nocase wide ascii $st06 = "/bin/busybox chmod" fullword nocase wide ascii
$st07 = "/bin/busybox cat" fullword nocase wide ascii
condition: condition:
5 of them 5 of them
...@@ -43,9 +44,9 @@ rule Mirai_Okiru { ...@@ -43,9 +44,9 @@ rule Mirai_Okiru {
strings: strings:
$hexsts01 = { 68 7f 27 70 60 62 73 3c 27 28 65 6e 69 28 65 72 } $hexsts01 = { 68 7f 27 70 60 62 73 3c 27 28 65 6e 69 28 65 72 }
$hexsts02 = { 74 7e 65 68 7f 27 73 61 73 77 3c 27 28 65 6e 69 } $hexsts02 = { 74 7e 65 68 7f 27 73 61 73 77 3c 27 28 65 6e 69 }
// noted for some variant doesnt have below: // noted some Okiru variant doesnt have below function, uncomment to seek specific x86 bins
// $st07 = "iptables -F\n" fullword nocase wide ascii // $st07 = "iptables -F\n" fullword nocase wide ascii
condition: condition:
all of them all of them
and is__elf and is__elf
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment