Common Information
| Type | Value |
|---|---|
| Value |
rule Persirai {
meta:
description = "Detects Persirai Botnet Malware"
author = "Tim Yeh"
reference = "Internal Research"
date = "2017-04-21"
hash1 = "f736948bb4575c10a3175f0078a2b5d36cce1aa4cd635307d03c826e305a7489"
hash2 = "e0b5c9f874f260c840766eb23c1f69828545d7820f959c8601c41c024044f02c"
hash3 = "35317971e346e5b2a8401b2e66b9e62e371coe9532f816cb313216c3647973c32"
hash4 = "ff5db7bdb4de17a77bd4a552f50f0e5488281cedc934fc3707833f90484ef66c"
hash5 = "aec2c39f1dfb75e7b33daceaeda4dbadb8efd9015a9b7e41d595bb28d2cd0180f"
strings:
$x1 = "ftpupload.sh" ascii fullword
$x2 = "/dev/misc/watchdog" ascii fullword
$x3 = "/dev/watchdog"
$x4 = ":52869/picsdesc.xml" ascii fullword
$x5 = "npxXoudifFeEgGaACScs" ascii fullword
$s1 = "ftptest.cgi" ascii fullword
$s2 = "set_ftp.cgi" ascii fullword
$s3 = "2580e538f3723927f1ea2fdb8d57b99e9cc37ced1" ascii fullword
$s4 = "023ea8c671c0abf77241886465200cf81b1a2bf5e" ascii fullword
condition:
uint16(0) == 0x457f and filesize < 300KB and ((1 of ($x*) and 1 of ($s*)) or 2 of ($s*))
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |