applch/XProtect_MACOS_60a3d68

## XProtect_MACOS_60a3d68
rule XProtect_MACOS_60a3d68
{
    meta:
        description = "MACOS.60a3d68"
    strings:
        $a = "#!"
        $b1 = "openssl enc"
        $b2 = "-aes-256-cbc"
        $c1 = "-base64"
        $c2 = "-a"
        $d = "-d"
        $e1 = "-in"
        $e2 = "-nosalt"
        $e3 = "-salt"
        $e4 = "-k"
        $e5 = "-out"
        $e6 = "-pass"
        $f1 = "dd if=/dev/urandom bs=$(jot -r 1 5 15)"
        $f2 = "base64 | tr -dc 'a-zA-Z0-9'"
        $f3 = "<enc)""
        $f4 = "Resources/enc)""
        $f5 = "shell_exec"
        $f6 = "eval echo"
    condition:
        $a at 0 and
        filesize < 3KB and
        all of ( $b* ) and
        any of ( $c* ) and
        $d and
        any of ( $e* ) and
        any of ( $f* )
}
	rule XProtect_MACOS_60a3d68
	{
	meta:
	description = "MACOS.60a3d68"
	strings:
	$a = "#!"
	$b1 = "openssl enc"
	$b2 = "-aes-256-cbc"
	$c1 = "-base64"
	$c2 = "-a"
	$d = "-d"
	$e1 = "-in"
	$e2 = "-nosalt"
	$e3 = "-salt"
	$e4 = "-k"
	$e5 = "-out"
	$e6 = "-pass"
	$f1 = "dd if=/dev/urandom bs=$(jot -r 1 5 15)"
	$f2 = "base64 \| tr -dc 'a-zA-Z0-9'"
	$f3 = "<enc)""
	$f4 = "Resources/enc)""
	$f5 = "shell_exec"
	$f6 = "eval echo"
	condition:
	$a at 0 and
	filesize < 3KB and
	all of ( $b* ) and
	any of ( $c* ) and
	$d and
	any of ( $e* ) and
	any of ( $f* )
	}