14 lines
864 B
Plaintext
14 lines
864 B
Plaintext
|
|
rule Backdoor_MacOS_Getshell{
|
|
meta:
|
|
description = "Backdoor:MacOS/Getshell,SIGNATURE_TYPE_MACHOHSTR_EXT,04 00 04 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {6a 00 89 e5 83 e4 f0 83 ec 10 8b 5d 04 89 5c 24 00 8d 4d 08 89 4c 24 04 83 c3 01 c1 e3 02 01 cb 89 5c 24 08 8b 03 83 c3 04 85 c0 75 f7 89 5c 24 0c e8 2c 00 00 00 89 44 24 00 e8 45 30 00 00 } //1
|
|
$a_01_1 = {55 89 e5 53 83 ec 04 e8 00 00 00 00 5b 8d 83 2a 00 00 00 ff d0 b8 00 00 00 00 83 c4 04 5b c9 c3 } //1
|
|
$a_01_2 = {00 5f 6d 61 69 6e 00 5f 70 61 79 6c 6f 61 64 00 73 74 61 72 74 00 5f 65 78 69 74 } //1
|
|
$a_01_3 = {90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1) >=4
|
|
|
|
} |