33 lines
973 B
Text
33 lines
973 B
Text
|
|
||
|
|
rule MAL_JS_EFile_Apr23_1 {
|
||
|
|
meta:
|
||
|
|
description = "Detects JavaScript malware used in eFile compromise"
|
||
|
|
author = "Florian Roth"
|
||
|
|
score = 75
|
||
|
|
reference = "https://twitter.com/Ax_Sharma/status/1643178696084271104/photo/1"
|
||
|
|
date = "2023-04-06"
|
||
|
|
id = "ba7a8b2c-789c-5bc5-be53-f2b92c7039e1"
|
||
|
|
strings:
|
||
|
|
$s1 = "let payload_chrome = "
|
||
|
|
$s2 = "else if (agent.indexOf(\"firefox"
|
||
|
|
condition:
|
||
|
|
all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule MAL_PHP_EFile_Apr23_1 {
|
||
|
|
meta:
|
||
|
|
description = "Detects malware "
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://twitter.com/malwrhunterteam/status/1642988428080865281?s=12&t=C0_T_re0wRP_NfKa27Xw9w"
|
||
|
|
date = "2023-04-06"
|
||
|
|
score = 75
|
||
|
|
id = "d663b38e-b082-5cf7-9853-f4685bf3a87b"
|
||
|
|
strings:
|
||
|
|
$s1 = "mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff )" ascii
|
||
|
|
$s2 = "C:\\\\ProgramData\\\\Browsers" ascii fullword
|
||
|
|
$s3 = "curl_https($api_url." ascii
|
||
|
|
condition:
|
||
|
|
all of them
|
||
|
|
}
|