import "pe" rule malware_windows_moonlightmaze_u_logcleaner { meta: description = "Rule to detect log cleaners based on utclean.c" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" reference2 = "http://cd.textfiles.com/cuteskunk/Unix-Hacking-Exploits/utclean.c" author = "Kaspersky Lab" md5_1 = "d98796dcda1443a37b124dbdc041fe3b" md5_2 = "73a518f0a73ab77033121d4191172820" strings: $a1 = "Hiding complit...n" $a2 = "usage: %s [hostname]" $a3 = "ls -la %s* ; /bin/cp ./wtmp.tmp %s; rm ./wtmp.tmp" condition: (uint32(0)==0x464c457f) and (any of them) }