18 lines
674 B
Text
18 lines
674 B
Text
import "pe"
|
|
|
|
rule malware_windows_moonlightmaze_wipe
|
|
{
|
|
meta:
|
|
description = "Rule to detect log cleaner based on wipe.c"
|
|
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
|
|
reference2 = "http://www.afn.org/~afn28925/wipe.c"
|
|
author = "Kaspersky Lab"
|
|
md5 = "e69efc504934551c6a77b525d5343241"
|
|
strings:
|
|
$a1 = "ERROR: Unlinking tmp WTMP file."
|
|
$a2 = "USAGE: wipe [ u|w|l|a ] ...options..."
|
|
$a3 = "Erase acct entries on tty : wipe a [username] [tty]"
|
|
$a4 = "Alter lastlog entry : wipe l [username] [tty] [time] [host]"
|
|
condition:
|
|
(uint32(0)==0x464c457f) and (2 of them)
|
|
}
|