Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
XProtect_MACOS_60a3d68
rule XProtect_MACOS_60a3d68
{
meta:
description = "MACOS.60a3d68"
strings:
$a = "#!"
$b1 = "openssl enc"
$b2 = "-aes-256-cbc"
$c1 = "-base64"
$c2 = "-a"
$d = "-d"
$e1 = "-in"
$e2 = "-nosalt"
$e3 = "-salt"
$e4 = "-k"
$e5 = "-out"
$e6 = "-pass"
$f1 = "dd if=/dev/urandom bs=$(jot -r 1 5 15)"
$f2 = "base64 | tr -dc 'a-zA-Z0-9'"
$f3 = "<enc)""
$f4 = "Resources/enc)""
$f5 = "shell_exec"
$f6 = "eval echo"
condition:
$a at 0 and
filesize < 3KB and
all of ( $b* ) and
any of ( $c* ) and
$d and
any of ( $e* ) and
any of ( $f* )
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.