08e8d462fe
RED PILL 🔴 💊
18 lines
678 B
Text
18 lines
678 B
Text
import "pe"
|
|
|
|
rule malware_windows_moonlightmaze_u_logcleaner
|
|
{
|
|
meta:
|
|
description = "Rule to detect log cleaners based on utclean.c"
|
|
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
|
|
reference2 = "http://cd.textfiles.com/cuteskunk/Unix-Hacking-Exploits/utclean.c"
|
|
author = "Kaspersky Lab"
|
|
md5_1 = "d98796dcda1443a37b124dbdc041fe3b"
|
|
md5_2 = "73a518f0a73ab77033121d4191172820"
|
|
strings:
|
|
$a1 = "Hiding complit...n"
|
|
$a2 = "usage: %s <username> <fixthings> [hostname]"
|
|
$a3 = "ls -la %s* ; /bin/cp ./wtmp.tmp %s; rm ./wtmp.tmp"
|
|
condition:
|
|
(uint32(0)==0x464c457f) and (any of them)
|
|
}
|