Sneed-Reactivity/yara-mikesxrs/AirBnB/malware_macos_neoneggplant_eggshell.yara

25 lines
937 B
Text
Raw Permalink Normal View History

rule malware_macos_neoneggplant_eggshell
{
meta:
description = "EggShell is an iOS and macOS post exploitation surveillance pentest tool written in Python."
reference = "https://github.com/neoneggplant/EggShell"
author = "@mimeframe"
strings:
// eggshell.py
$a1 = "Created By Lucas Jackson (@neoneggplant)" wide ascii
$a2 = "SET LHOST (Leave blank for" wide ascii
$a3 = "SET LPORT (Leave blank for" wide ascii
// esplios
$b1 = "/tmp/.esplog" wide ascii
$b2 = "spGHbigdxMBJpbOCAr3rnS3inCdYQyZV" wide ascii
$b3 = "keylogclear" wide ascii
$b4 = "getpasscode" wide ascii
// esplosx
$c1 = "spGHbigdxMBJpbOCAr3rnS3inCdYQyZV" wide ascii
$c2 = "getfacebook" wide ascii
$c3 = "type is eggsu" wide ascii
$c4 = "rmpersistence" wide ascii
condition:
all of ($a*) or 3 of ($b*) or 3 of ($c*)
}