17 lines
1.7 KiB
Plaintext
17 lines
1.7 KiB
Plaintext
|
|
rule Trojan_MacOS_Xcsset_A_MTB{
|
|
meta:
|
|
description = "Trojan:MacOS/Xcsset.A!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,04 00 04 00 06 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {48 89 43 48 48 c7 43 30 01 00 00 00 48 b8 6d 65 74 68 6f 64 00 00 48 89 43 50 4c 89 7b 58 4c 89 63 78 48 b8 50 61 67 65 2e 67 65 74 48 89 43 60 48 b8 43 6f 6f 6b 69 65 73 ef 48 89 43 68 48 89 df } //02 00
|
|
$a_02_1 = {48 89 c3 0f 28 05 90 01 03 00 0f 11 40 10 48 b8 65 78 70 72 65 73 73 69 48 89 43 20 48 b8 6f 6e 00 00 00 00 00 ea 48 89 43 28 4c 89 73 48 48 8b 45 c0 48 89 43 30 4c 8b 90 01 02 4c 89 90 01 02 48 b8 73 69 6c 65 6e 74 00 00 48 89 43 50 4c 89 90 01 01 58 48 8b 05 90 01 02 04 00 48 89 43 78 c6 43 60 01 48 89 df 90 00 } //01 00
|
|
$a_00_2 = {48 b8 65 63 68 6f 20 27 00 00 48 89 45 c0 48 b8 00 00 00 00 00 00 00 e6 48 89 45 c8 4c 8d 6d c0 48 8b bd 58 ff ff ff 48 8b 75 80 e8 8e 28 00 00 48 bf 27 20 3e 20 27 00 00 00 48 be 00 00 00 00 00 00 00 e5 e8 75 28 00 00 4c 8b 7d 90 4c 89 ff 4c 8b 65 b0 4c 89 e6 e8 62 28 00 00 bf 27 00 00 00 48 be 00 00 00 00 00 00 00 e1 e8 4e 28 00 00 48 8b 7d c0 48 8b 5d c8 48 89 de e8 0a ee ff ff 49 89 d6 48 89 df e8 9b 2c 00 00 4c 89 f7 e8 93 2c 00 00 48 b8 63 68 6d 6f 64 20 2b 78 48 89 45 c0 48 b8 20 27 00 00 00 00 00 ea 48 89 45 c8 } //01 00
|
|
$a_00_3 = {49 8b 7c 24 30 48 85 ff 0f 84 a1 2c 00 00 49 bf 00 00 00 00 00 00 00 e8 49 8b 44 24 28 48 89 85 90 fd ff ff 48 89 bd 98 fd ff ff 48 b8 70 61 79 70 61 6c 2e 63 48 89 85 d0 fd ff ff 48 b8 6f 6e 00 00 00 00 00 ea 48 05 00 ff ff ff 48 89 85 d8 fd ff ff } //01 00
|
|
$a_00_4 = {4e 65 74 77 6f 72 6b 2e 67 65 74 41 6c 6c 43 6f 6f 6b 69 65 73 } //01 00
|
|
$a_02_5 = {62 6c 65 20 2d 73 74 72 69 6e 67 90 02 10 42 72 6f 77 73 65 72 90 00 } //00 00
|
|
$a_00_6 = {5d 04 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |