23 lines
560 B
Text
23 lines
560 B
Text
|
rule COATHANGER_files
|
||
|
{
|
||
|
meta:
|
||
|
description = "Detects COATHANGER files by used filenames"
|
||
|
malware = "COATHANGER"
|
||
|
author = "NLD MIVD - JSCU"
|
||
|
date = "20240206"
|
||
|
strings:
|
||
|
$1 = "/data2/"
|
||
|
$2 = "/httpsd"
|
||
|
$3 = "/preload.so"
|
||
|
$4 = "/authd"
|
||
|
$5 = "/tmp/packfile"
|
||
|
$6 = "/smartctl"
|
||
|
$7 = "/etc/ld.so.preload"
|
||
|
$8 = "/newcli"
|
||
|
$9 = "/bin/busybox"
|
||
|
|
||
|
condition:
|
||
|
(uint32(0) == 0x464c457f or uint32(4) == 0x464c457f)
|
||
|
and filesize < 5MB and 4 of them
|
||
|
}
|