Sneed-Reactivity/yara-mikesxrs/AirBnB/malware_windows_moonlightmaze_IRIX_exploit_GEN.yara

21 lines
795 B
Text
Raw Permalink Normal View History

import "pe"
rule malware_windows_moonlightmaze_IRIX_exploit_GEN
{
meta:
description = "Rule to detect Irix exploits from David Hedley used by Moonlight Maze hackers"
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
reference2 = "https://www.exploit-db.com/exploits/19274/"
author = "Kaspersky Lab"
md5_1 = "008ea82f31f585622353bd47fa1d84be" //df3
md5_2 = "a26bad2b79075f454c83203fa00ed50c" //log
md5_3 = "f67fc6e90f05ba13f207c7fdaa8c2cab" //xconsole
md5_4 = "5937db3896cdd8b0beb3df44e509e136" //xlock
md5_5 = "f4ed5170dcea7e5ba62537d84392b280" //xterm
strings:
$a1 = "stack = 0x%x, targ_addr = 0x%x"
$a2 = "execl failed"
condition:
(uint32(0)==0x464c457f) and (all of them)
}