33 lines
1.3 KiB
Text
33 lines
1.3 KiB
Text
|
|
rule SUSP_LNX_SH_CryptoMiner_Indicators_Dec20_1 {
|
|
meta:
|
|
description = "Detects helper script used in a crypto miner campaign"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/"
|
|
date = "2020-12-31"
|
|
hash1 = "3298dbd985c341d57e3219e80839ec5028585d0b0a737c994363443f4439d7a5"
|
|
id = "e376e0e1-1490-5ad4-8ca2-d28ca1c0b51a"
|
|
strings:
|
|
$x1 = "miner running" fullword ascii
|
|
$x2 = "miner runing" fullword ascii
|
|
$x3 = " --donate-level 1 "
|
|
$x4 = " -o pool.minexmr.com:5555 " ascii
|
|
condition:
|
|
filesize < 20KB and 1 of them
|
|
}
|
|
|
|
rule PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 {
|
|
meta:
|
|
description = "Detects XMRIG crypto coin miners"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/"
|
|
date = "2020-12-31"
|
|
hash1 = "b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09"
|
|
id = "4dfb04e9-fbba-5a6f-ad20-d805025d2d74"
|
|
strings:
|
|
$x1 = "xmrig.exe" fullword wide
|
|
$x2 = "xmrig.com" fullword wide
|
|
$x3 = "* for x86, CRYPTOGAMS" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 6000KB and 2 of them or all of them
|
|
}
|