14 lines
1.5 KiB
Plaintext
14 lines
1.5 KiB
Plaintext
|
|
rule Trojan_MacOS_SysJoker_A_MTB{
|
|
meta:
|
|
description = "Trojan:MacOS/SysJoker.A!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,04 00 04 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {74 74 70 73 3a 2f 2f 90 02 18 2f 75 63 3f 65 78 70 6f 72 74 3d 64 6f 77 6e 6c 6f 61 64 26 69 64 3d 31 57 36 34 50 51 51 78 72 77 59 33 58 6a 42 6e 76 5f 51 41 65 42 51 75 2d 65 50 72 35 33 37 65 75 90 00 } //01 00
|
|
$a_00_1 = {2f 55 73 65 72 73 2f 6d 61 63 2f 44 65 73 6b 74 6f 70 2f 74 65 73 74 2f 74 65 73 74 2f 6a 73 6f 6e 2e 68 70 70 } //01 00 /Users/mac/Desktop/test/test/json.hpp
|
|
$a_00_2 = {4d 49 47 66 4d 41 30 47 43 53 71 47 53 49 62 33 44 51 45 42 41 51 55 41 41 34 47 4e 41 44 43 42 69 51 4b 42 67 51 44 6b 66 4e 6c 2b 53 65 37 6a 6d 37 73 47 53 72 53 53 55 70 56 33 48 55 6c 33 76 45 77 75 68 2b 78 6e 34 71 42 59 36 61 52 46 4c 39 31 78 30 48 49 67 63 48 32 41 4d 32 72 4f 6c 4c 64 6f 56 38 76 31 76 74 47 31 6f 50 74 39 51 70 43 31 6a 53 78 53 68 6e 46 77 38 65 76 47 72 59 6e 71 61 6f 75 37 67 4c 73 59 35 4a 32 42 30 36 65 71 35 55 57 37 2b 4f 58 67 62 37 37 57 4e 62 55 39 30 76 79 55 62 5a 41 75 63 66 7a 79 30 65 46 31 48 71 74 42 4e 62 6b 58 69 51 36 53 53 62 71 75 75 76 46 50 55 65 70 71 55 45 6a 55 53 51 49 44 41 51 41 42 } //01 00 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkfNl+Se7jm7sGSrSSUpV3HUl3vEwuh+xn4qBY6aRFL91x0HIgcH2AM2rOlLdoV8v1vtG1oPt9QpC1jSxShnFw8evGrYnqaou7gLsY5J2B06eq5UW7+OXgb77WNbU90vyUbZAucfzy0eF1HqtBNbkXiQ6SSbquuvFPUepqUEjUSQIDAQAB
|
|
$a_00_3 = {2f 61 70 69 2f 61 74 74 61 63 68 } //00 00 /api/attach
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |