import "pe" rule malware_windows_moonlightmaze_wipe { meta: description = "Rule to detect log cleaner based on wipe.c" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" reference2 = "http://www.afn.org/~afn28925/wipe.c" author = "Kaspersky Lab" md5 = "e69efc504934551c6a77b525d5343241" strings: $a1 = "ERROR: Unlinking tmp WTMP file." $a2 = "USAGE: wipe [ u|w|l|a ] ...options..." $a3 = "Erase acct entries on tty : wipe a [username] [tty]" $a4 = "Alter lastlog entry : wipe l [username] [tty] [time] [host]" condition: (uint32(0)==0x464c457f) and (2 of them) }