DefenderYara/Trojan/Linux/Loki/Trojan_Linux_Loki_B.yar


rule Trojan_Linux_Loki_B{
	meta:
		description = "Trojan:Linux/Loki.B,SIGNATURE_TYPE_ELFHSTR_EXT,04 00 04 00 03 00 00 "
		
	strings :
		$a_00_0 = {6c 6f 6b 69 64 3a 20 73 65 72 76 65 72 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 61 74 20 63 61 70 61 63 69 74 79 } //2 lokid: server is currently at capacity
		$a_00_1 = {6c 6f 6b 69 64 3a 20 43 61 6e 6e 6f 74 20 61 64 64 20 6b 65 79 } //2 lokid: Cannot add key
		$a_00_2 = {6c 6f 6b 69 64 20 2d 70 20 28 69 7c 75 29 } //2 lokid -p (i|u)
	condition:
		((#a_00_0  & 1)*2+(#a_00_1  & 1)*2+(#a_00_2  & 1)*2) >=4
 
}
init 2024-02-05 06:12:47 -08:00
			`rule Trojan_Linux_Loki_B{`
			`meta:`
fix condition 2024-07-06 23:13:08 -07:00			`description = "Trojan:Linux/Loki.B,SIGNATURE_TYPE_ELFHSTR_EXT,04 00 04 00 03 00 00 "`
init 2024-02-05 06:12:47 -08:00
			`strings :`
fix condition 2024-07-06 23:13:08 -07:00			`$a_00_0 = {6c 6f 6b 69 64 3a 20 73 65 72 76 65 72 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 61 74 20 63 61 70 61 63 69 74 79 } //2 lokid: server is currently at capacity`
			`$a_00_1 = {6c 6f 6b 69 64 3a 20 43 61 6e 6e 6f 74 20 61 64 64 20 6b 65 79 } //2 lokid: Cannot add key`
			`$a_00_2 = {6c 6f 6b 69 64 20 2d 70 20 28 69 7c 75 29 } //2 lokid -p (i\|u)`
init 2024-02-05 06:12:47 -08:00			`condition:`
fix condition 2024-07-06 23:13:08 -07:00			`((#a_00_0 & 1)2+(#a_00_1 & 1)2+(#a_00_2 & 1)*2) >=4`
init 2024-02-05 06:12:47 -08:00
			`}`