Sneed-Reactivity/yara-mikesxrs/Volexity/webshell_php_icescorpion.yar

21 lines
743 B
Text
Raw Normal View History

rule webshell_php_icescorpion : Commodity Webshell
{
meta:
author = "threatintel@volexity.com"
description = "Detects the IceScorpion webshell."
date = "2022-01-17"
hash1 = "5af4788d1a61009361b37e8db65deecbfea595ef99c3cf920d33d9165b794972"
reference = "https://www.codenong.com/cs106064226/"
reference2 = "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/"
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
memory_suitable = 0
strings:
$s1 = "[$i+1&15];"
$s2 = "openssl_decrypt"
condition:
all of them and
filesize < 10KB
}