Sneed-Reactivity/yara-mikesxrs/Volexity/webshell_java_realcmd.yar

30 lines
1.2 KiB
Text
Raw Permalink Normal View History

rule webshell_java_realcmd : Commodity Webshells
{
meta:
author = "threatintel@volexity.com"
description = "Detects the RealCMD webshell, one of the payloads for BEHINDER."
date = "2022-06-01"
hash1 = "a9a30455d6f3a0a8cd0274ae954aa41674b6fd52877fafc84a9cb833fd8858f6"
reference = "https://github.com/Freakboy/Behinder/blob/master/src/main/java/vip/youwe/sheller/payload/java/RealCMD.java"
reference2 = "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"
memory_suitable = 1
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
strings:
$fn1 = "runCmd" wide ascii fullword
$fn2 = "RealCMD" ascii wide fullword
$fn3 = "buildJson" ascii wide fullword
$fn4 = "Encrypt" ascii wide fullword
$s1 = "AES/ECB/PKCS5Padding" ascii wide
$s2 = "python -c 'import pty; pty.spawn" ascii wide
$s3 = "status" ascii wide
$s4 = "success" ascii wide
$s5 = "sun.jnu.encoding" ascii wide
$s6 = "java.util.Base64" ascii wide
condition:
all of ($fn*) or
all of ($s*)
}