-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmalware-unique-strings2.yar
42 lines (38 loc) · 2.76 KB
/
malware-unique-strings2.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
/*
This rules set detects specific malicious PHP code snippets that found in some wordpress sites hosted in Pressidium.
*/
include "Commons/Pressidium-common-encodings.yar" // rulenames: common_encoding_php , obfuscated_common_encodings_php
include "Commons/Pressidium-common-eval-usage.yar" // rulenames: Detect_Eval_Usage
include "Commons/Pressidium-common-shell-commands.yar" // rulenames: common_unix_commands, common_uxin_commands_base64
include "Commons/Pressidium-common-PHP-functions.yar" // rulenames: common_PHP_functions, common_PHP_functions_base64_encoded
include "Commons/Pressidium-common-error-reporting.yar" //rulenames: common_disable_error_reporting
rule malicious_PHP_code_snippet4
{
meta:
author = "Spyros Maris"
date = "27/10/2023"
description = "This rule detects specific malicious PHP code snippets that found in some wordpress sites hosted in Pressidium."
reference = "https://github.com/pressidium/pressidium-yara-rules"
strings:
$function_yq1 = "function yq1" wide ascii
$array_access = /\[\d+\]/ wide ascii // Detects the usage of array access, e.g., $array[0]
$string_obfuscation = /"cF;" ."26@m*47 1bgp" ."akru" ."?vh\/nd3sL-<e\)xo9y85\(I'_" ."fi.EHl" ."t"/ wide ascii
$cookie_post_access = /\$_COOKIE, \$_POST/ wide ascii
condition:
any of them and (1 of (common_encoding_php, obfuscated_common_encodings_php, Detect_Eval_Usage, common_unix_commands, common_uxin_commands_base64, common_PHP_functions, common_PHP_functions_base64_encoded, common_disable_error_reporting))
}
rule malicious_PHP_code_snippet5
{
meta:
author = "Spyros Maris"
date = "27/10/2023"
description = "This rule detects specific malicious PHP code snippets that found in some wordpress sites hosted in Pressidium."
reference = "https://github.com/pressidium/pressidium-yara-rules"
strings:
$obfuscation_chr = /chr\(\d+-\d+\)/ wide ascii // Detects the usage of chr() function for obfuscation, e.g., chr(128-23)
$obfuscation_hex = /x[0-9a-fA-F]{2}/ wide ascii // Detects the usage of hexadecimal values for obfuscation, e.g., \x66
$func_file_io = /f[^ ]{0,10}p[^ ]{0,10}t[^ ]{0,10}_c[^ ]{0,10}t[^ ]{0,10}s/ wide ascii // Detects the usage of file_put_contents function or similar obfuscated function calls
$xor_function = /for\s*\([^)]*\)\s*{\s*[^}]*\s*chr\s*\(.*\^.*ord\s*\(.*\)\s*\)\s*;?\s*}/ // Detects a function that iterates through two strings and applies XOR operation
condition:
any of them and (1 of (common_encoding_php, obfuscated_common_encodings_php, Detect_Eval_Usage, common_unix_commands, common_uxin_commands_base64, common_PHP_functions, common_PHP_functions_base64_encoded, common_disable_error_reporting))
}