Sneed-Reactivity/yara-Neo23x0/gen_lnx_malware_indicators.yar


rule SUSP_LNX_Linux_Malware_Indicators_Aug20_1 {
   meta:
      description = "Detects indicators often found in linux malware samples"
      author = "Florian Roth (Nextron Systems)"
      score = 65
      reference = "Internal Research"
      date = "2020-08-03"
      id = "9a1093a6-0239-5d1c-aa30-1ca725941583"
   strings:
      $s1 = "&& chmod +x" ascii 
      $s2 = "|base64 -" ascii
      $s3 = " /tmp" ascii 
      $s4 = "|curl " ascii
      $s5 = "whoami" ascii fullword

      $fp1 = "WITHOUT ANY WARRANTY" ascii 
      $fp2 = "postinst" ascii fullword
      $fp3 = "THIS SOFTWARE IS PROVIDED" ascii fullword
      $fp4 = "Free Software Foundation" ascii fullword
   condition:
      filesize < 400KB and
      3 of ($s*) and not 1 of ($fp*)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule SUSP_LNX_Linux_Malware_Indicators_Aug20_1 {`
			`meta:`
			`description = "Detects indicators often found in linux malware samples"`
			`author = "Florian Roth (Nextron Systems)"`
			`score = 65`
			`reference = "Internal Research"`
			`date = "2020-08-03"`
			`id = "9a1093a6-0239-5d1c-aa30-1ca725941583"`
			`strings:`
			`$s1 = "&& chmod +x" ascii`
			`$s2 = "\|base64 -" ascii`
			`$s3 = " /tmp" ascii`
			`$s4 = "\|curl " ascii`
			`$s5 = "whoami" ascii fullword`

			`$fp1 = "WITHOUT ANY WARRANTY" ascii`
			`$fp2 = "postinst" ascii fullword`
			`$fp3 = "THIS SOFTWARE IS PROVIDED" ascii fullword`
			`$fp4 = "Free Software Foundation" ascii fullword`
			`condition:`
			`filesize < 400KB and`
			`3 of ($s) and not 1 of ($fp)`
			`}`