Sneed-Reactivity/yara-mikesxrs/AirBnB/malware_windows_moonlightmaze_u_logcleaner.yara
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

18 lines
678 B
Text

import "pe"
rule malware_windows_moonlightmaze_u_logcleaner
{
meta:
description = "Rule to detect log cleaners based on utclean.c"
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
reference2 = "http://cd.textfiles.com/cuteskunk/Unix-Hacking-Exploits/utclean.c"
author = "Kaspersky Lab"
md5_1 = "d98796dcda1443a37b124dbdc041fe3b"
md5_2 = "73a518f0a73ab77033121d4191172820"
strings:
$a1 = "Hiding complit...n"
$a2 = "usage: %s <username> <fixthings> [hostname]"
$a3 = "ls -la %s* ; /bin/cp ./wtmp.tmp %s; rm ./wtmp.tmp"
condition:
(uint32(0)==0x464c457f) and (any of them)
}