Skip to content

Instantly share code, notes, and snippets.

@applch
Created January 27, 2020 05:51
Show Gist options
  • Save applch/3f883a36ecf5dd8572d144bbb96eeed2 to your computer and use it in GitHub Desktop.
Save applch/3f883a36ecf5dd8572d144bbb96eeed2 to your computer and use it in GitHub Desktop.
XProtect_MACOS_60a3d68
rule XProtect_MACOS_60a3d68
{
meta:
description = "MACOS.60a3d68"
strings:
$a = "#!"
$b1 = "openssl enc"
$b2 = "-aes-256-cbc"
$c1 = "-base64"
$c2 = "-a"
$d = "-d"
$e1 = "-in"
$e2 = "-nosalt"
$e3 = "-salt"
$e4 = "-k"
$e5 = "-out"
$e6 = "-pass"
$f1 = "dd if=/dev/urandom bs=$(jot -r 1 5 15)"
$f2 = "base64 | tr -dc 'a-zA-Z0-9'"
$f3 = "<enc)""
$f4 = "Resources/enc)""
$f5 = "shell_exec"
$f6 = "eval echo"
condition:
$a at 0 and
filesize < 3KB and
all of ( $b* ) and
any of ( $c* ) and
$d and
any of ( $e* ) and
any of ( $f* )
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment