Sneed-Reactivity/yara-mikesxrs/Intezer/ChinaZ_Managers.yar

61 lines
1.5 KiB
Text
Raw Normal View History

private rule NewManager {
meta:
copyright = "Intezer Labs"
author = "Intezer Labs"
reference = "https://www.intezer.com"
strings:
$a0 = {8B ?? 04 3? 03 00 00 11 74 4D 3? 11 00 00 11 74 61 3? 02 00 00 11 }
$b0 = "_ConnectServer"
$b1 = "/root/1/ampS.log"
$b2 = "/etc/rc%d.d/S%d%s"
$b3 = "Get SYstem Info"
$b4 = "newmanager"
$b5 = "NO DDXC"
condition:
all of them
}
private rule AmpManager {
meta:
copyright = "Intezer Labs"
author = "Intezer Labs"
reference = "https://www.intezer.com"
strings:
$a0 = {C7 85 ?? F8 FF FF ?? 00 00 11 C7 85 ?? F8 FF FF 00 00 00 00 C7 85 ?? F8 FF FF ?? 00 00 00}
$b0 = "ampserver/main.cpp"
$b1 = "M-SEARCH * HTTP/1.1"
$b2 = "rm -f /usr/bin/ammint | killall ammint 2>/dev/null &"
$b3 = "ln -s /etc/init.d/%s %s"
$b4 = "camplz123"
condition:
all of them
}
private rule DDoSManager {
meta:
copyright = "Intezer Labs"
author = "Intezer Labs"
reference = "https://www.intezer.com"
strings:
$a0 = { 55 89 e5 5? 8b ?? 0c 8B ?? 08 85 ?? 7E 16 31 ?? 0F B6 ?? ?? 83 F? 19 83 C? 7A 88 ?? ?? 83 C? 01}
$b0 = "5CFake"
$b1 = "/tmp/Cfg.9"
$b2 = "0|%s|%s|1|65535|"
$b3 = "8CManager"
$b4 = "SingTool"
condition:
all of them
}
rule ChinaZ_Managers {
meta:
copyright = "Intezer Labs"
author = "Intezer Labs"
reference = "https://www.intezer.com"
condition:
NewManager or AmpManager or DDoSManager
}