Sneed-Reactivity/yara-mikesxrs/AirBnB/malware_windows_moonlightmaze_IRIX_exploit_GEN.yara

import "pe"

rule malware_windows_moonlightmaze_IRIX_exploit_GEN
{
    meta:
        description = "Rule to detect Irix exploits from David Hedley used by Moonlight Maze hackers"
        reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
        reference2 = "https://www.exploit-db.com/exploits/19274/"
        author = "Kaspersky Lab"
        md5_1 = "008ea82f31f585622353bd47fa1d84be" //df3
        md5_2 = "a26bad2b79075f454c83203fa00ed50c" //log
        md5_3 = "f67fc6e90f05ba13f207c7fdaa8c2cab" //xconsole
        md5_4 = "5937db3896cdd8b0beb3df44e509e136" //xlock
        md5_5 = "f4ed5170dcea7e5ba62537d84392b280" //xterm
    strings:
        $a1 = "stack = 0x%x, targ_addr = 0x%x"
        $a2 = "execl failed"
    condition:
        (uint32(0)==0x464c457f) and (all of them)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`import "pe"`

			`rule malware_windows_moonlightmaze_IRIX_exploit_GEN`
			`{`
			`meta:`
			`description = "Rule to detect Irix exploits from David Hedley used by Moonlight Maze hackers"`
			`reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"`
			`reference2 = "https://www.exploit-db.com/exploits/19274/"`
			`author = "Kaspersky Lab"`
			`md5_1 = "008ea82f31f585622353bd47fa1d84be" //df3`
			`md5_2 = "a26bad2b79075f454c83203fa00ed50c" //log`
			`md5_3 = "f67fc6e90f05ba13f207c7fdaa8c2cab" //xconsole`
			`md5_4 = "5937db3896cdd8b0beb3df44e509e136" //xlock`
			`md5_5 = "f4ed5170dcea7e5ba62537d84392b280" //xterm`
			`strings:`
			`$a1 = "stack = 0x%x, targ_addr = 0x%x"`
			`$a2 = "execl failed"`
			`condition:`
			`(uint32(0)==0x464c457f) and (all of them)`
			`}`