Skip to content

Instantly share code, notes, and snippets.

@applch
Created January 27, 2020 05:08
Show Gist options
  • Save applch/c01216b661890a1d4e0a94cb86ba5226 to your computer and use it in GitHub Desktop.
Save applch/c01216b661890a1d4e0a94cb86ba5226 to your computer and use it in GitHub Desktop.
XProtect v2112
import "hash"
private rule Macho
{
meta:
description = "private rule to match Mach-O binaries"
condition:
uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
}
private rule PE
{
meta:
description = "private rule to match PE binaries"
condition:
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x4550
}
rule XProtect_MACOS_8283b86
{
meta:
description = "MACOS.8283b86"
strings:
$a = { 67 65 74 61 64 76 61 6e 63 65 64 6d 61 63 }
$b = { 74 72 61 63 6b 57 65 62 4f 66 66 65 72 73 56 69 65 77 }
$c = { 67 65 74 4f 66 66 65 72 50 61 72 73 65 64 43 6f 75 6e 74 }
$d = { 77 76 47 65 74 50 68 6f 6e 65 52 65 6e 64 6f 6d }
$e = { 48 8B 3D ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? 48 89 ?? ?? 48 8D ?? ?? ?? ?? ?? 48 8D ?? ?? ?? ?? ?? 4C 8D ?? ?? ?? ?? ?? 4C 8D ?? ?? ?? ?? ?? 4C 8B ?? ?? ?? ?? ?? 31 C0 41 FF D7 49 89 C4 48 8B ?? ?? ?? ?? ?? 48 8B ?? ?? ?? ?? ?? 41 FF D7 48 8B 35 ?? ?? ?? ?? 48 89 C7 41 FF D7 48 ?? ?? ?? 4C 8B 35 ?? ?? ?? ?? 48 89 DF 4C 89 F6 41 FF D7 49 89 C5 4C 89 ?? ?? 4C 89 E7 4C 89 F6 41 FF D7 45 85 ED 0F 84 A1 00 00 00 48 8B ?? ?? ?? ?? ?? 48 89 ?? ?? 48 8B ?? ?? ?? ?? ?? 48 89 4D C0 44 89 E9 48 89 4D C8 45 31 ED 45 31 FF 48 89 5D A8 [-] 48 89 DF 4C 8B 75 B8 4C 89 F6 4C 89 EA 4C 8B ?? ?? ?? ?? ?? 41 FF D4 89 C3 44 89 FA 48 8B 7D A0 4C 89 F6 41 FF D4 0F B7 C0 C1 E8 04 31 D8 }
condition:
Macho and filesize < 3000000 and all of them
}
rule XProtect_MACOS_b264ff6
{
meta:
description = "MACOS.b264ff6"
strings:
$a1 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 44 89 ( e8 | e9 | e0 ) 48 ?? ?? ?? 45 31 (ed | e4) 45 31 (f6 | ff) }
$a2 = { 48 ?? ?? ?? 8b ?? ?? 89 ca 48 ?? ?? ?? ?? ?? ?? 48 89 c7 e8 ?? ?? ?? ?? 0f b7 c8 48 ?? ?? ?? 44 ?? ?? ?? 44 89 c6 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d7 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d6 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0f b7 c8 c1 f9 04 44 ?? ?? ?? ?? ?? ?? 41 31 c8 66 44 89 c0 66 89 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0f b7 ?? ?? 4c ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4c 89 ce b0 00 e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d7 48 89 c2 e8 ?? ?? ?? ?? 8b ?? ?? 83 c1 01 89 ?? ?? 3b ?? ?? 0f 83 ?? ?? ?? ?? }
$a3 = { 48 ?? ?? ?? 8b ?? ?? 89 ca 48 ?? ?? ?? ?? ?? ?? 48 89 c7 ff ?? ?? ?? ?? ?? 0f b7 c8 48 ?? ?? ?? 44 ?? ?? ?? 44 89 c6 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d7 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d6 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0f b7 c8 c1 f9 04 44 ?? ?? ?? ?? ?? ?? 41 31 c8 66 44 89 c0 66 89 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0f b7 ?? ?? 4c ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4c 89 ce b0 00 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d7 48 89 c2 ff ?? ?? ?? ?? ?? 8b ?? ?? 83 c1 01 89 ?? ?? 3b ?? ?? 0f 83 ?? ?? ?? ?? }
$a4 = { e8 ?? ?? ?? ?? 48 ?? ?? ?? e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 cf 48 ?? ?? ?? 48 89 d6 48 ?? ?? ?? ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 c7 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 c7 48 89 ca ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 89 d7 48 89 ca 48 89 c1 b0 00 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 89 cf 48 89 c2 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 c7 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 89 c7 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 48 ?? ?? ?? e8 ?? ?? ?? ?? }
$b1 = { 75 73 65 72 45 6e 74 65 72 65 64 46 69 6c 65 6e 61 6d 65 }
$b2 = { 64 69 64 43 61 6e 63 65 6c 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 43 68 61 6c 6c 65 6e 67 65 }
$b3 = { 65 78 65 63 75 74 65 43 6f 6d 6d 61 6e 64 }
$b4 = { 2f 75 73 72 2f 73 62 69 6e 2f 73 79 73 74 65 6d 5f 70 72 6f 66 69 6c 65 72 }
$c = { 00 25 40 25 40 25 40 25 40 00 25 63 00 }
condition:
Macho and filesize < 3000000 and (1 of ($a*)) and (1 of ($b*)) and $c
}
rule XProtect_MACOS_f3edc61
{
meta:
description = "MACOS.f3edc61"
strings:
$a = { 6f 70 65 6e 50 68 6f 74 6f 73 4e 61 67 }
$b = { 73 69 6c 65 6e 74 6c 79 46 69 72 65 55 72 6c }
$c = { 54 72 61 63 6b 4f 66 66 65 72 73 }
$d = { 48 8D 05 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 8B 15 ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 48 89 D7 48 89 C2 48 89 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 89 CF 48 89 C2 FF 15 ?? ?? ?? ?? 41 B8 10 00 00 00 31 F6 41 B9 40 00 00 00 44 89 CA 48 89 85 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 48 89 CF 48 89 85 ?? ?? ?? ?? 4C 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 48 89 C1 48 89 CF 48 8B 95 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 4C 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 83 F8 00 48 89 85 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? }
condition:
Macho and filesize < 1000000 and all of them
}
rule XProtect_MACOS_60a3d68
{
meta:
description = "MACOS.60a3d68"
strings:
$a = { 23 21 }
$b1 = { 6f 70 65 6e 73 73 6c 20 65 6e 63 }
$b2 = { 2d 61 65 73 2d 32 35 36 2d 63 62 63 }
$c1 = { 2d 62 61 73 65 36 34 }
$c2 = { 2d 61 }
$d = { 2d 64 }
$e1 = { 2d 69 6e }
$e2 = { 2d 6e 6f 73 61 6c 74 }
$e3 = { 2d 73 61 6c 74 }
$e4 = { 2d 6b }
$e5 = { 2d 6f 75 74 }
$e6 = { 2d 70 61 73 73 }
$f1 = { 64 64 20 69 66 3d 2f 64 65 76 2f 75 72 61 6e 64 6f 6d 20 62 73 3d 24 28 6a 6f 74 20 2d 72 20 31 20 35 20 31 35 29 }
$f2 = { 62 61 73 65 36 34 20 7c 20 74 72 20 2d 64 63 20 27 61 2d 7a 41 2d 5a 30 2d 39 27 }
$f3 = { 3c 65 6e 63 29 22 }
$f4 = { 52 65 73 6f 75 72 63 65 73 2f 65 6e 63 29 22 }
$f5 = { 73 68 65 6c 6c 5f 65 78 65 63 }
$f6 = { 65 76 61 6c 20 65 63 68 6f }
condition:
$a at 0 and filesize < 3KB and all of ($b*) and any of ($c*) and $d and any of ($e*) and any of ($f*)
}
rule XProtect_MACOS_5af1486
{
strings:
$a1 = { 00 70 72 6f 6d 70 74 00 69 63 6f 6e 00 }
$a2 = { 00 64 61 74 61 31 00 70 6c 69 73 74 00 }
$b1 = { 55 48 89 e5 48 83 ec 50 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? b9 ?? ?? ?? ?? 89 ca 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 89 c7 48 ?? ?? ?? e8 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 8b ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 c7 48 ?? ?? ?? e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0f 85 ?? ?? ?? ?? 48 ?? ?? ?? 48 83 c4 50 5d c3 e8 ?? ?? ?? ?? }
condition:
Macho and (filesize < 2MB) and all of them
}
rule XProtect_MACOS_03b5cbe
{
strings:
$a = { 48 ?? ?? ?? ?? ?? ?? 31 c0 e8 ?? ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 41 ff d6 49 ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? b9 01 00 00 00 41 ff d6 49 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 41 ff d6 84 c0 74 ?? }
$b = { 73 74 61 74 75 73 2e 70 6c 69 73 74 }
$c = { 74 72 69 67 67 65 72 }
condition:
Macho and (filesize < 100KB) and all of them
}
rule XProtect_MACOS_ce3281e
{
strings:
$a = { 4c ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 89 c7 e8 ?? ?? ?? ?? 49 89 c5 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4c ?? ?? ?? ?? ?? ?? 31 c0 4c 89 f7 4c 89 e9 41 ff d4 48 89 c7 e8 ?? ?? ?? ?? 48 89 c3 4c ?? ?? ?? ?? ?? ?? 4c 89 ef 41 ff d6 4c ?? ?? ?? ?? ?? ?? 31 c0 4c 89 ff 48 89 de e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 41 ff d4 48 ?? ?? ?? ?? ?? ?? 48 89 c7 48 ?? ?? ?? 48 89 da 41 ff d4 49 89 c5 48 ?? ?? ?? ?? ?? ?? 4c 89 ef 41 ff d4 48 89 c7 e8 ?? ?? ?? ?? 48 89 c3 31 c0 4c 89 ff 48 89 de e8 ?? ?? ?? ?? 48 89 df 41 ff d6 4d 85 ed 74 ?? }
$b = { 50 61 74 68 20 74 6f 20 70 72 65 66 3a 20 25 40 }
$c = { 73 65 61 72 63 68 76 }
$d = { 66 6f 72 6d 3d 41 50 4d 43 53 31 }
$e = { 2f 4c 69 62 72 61 72 79 2f 50 72 65 66 65 72 65 6e 63 65 73 2f 70 72 65 66 2e 70 6c 69 73 74 }
$f = { 66 72 3d 61 61 70 6c 77 }
condition:
Macho and (filesize < 100KB) and all of them
}
rule XProtect_MACOS_9bdf6ec
{
strings:
$a1 = { 48 8b 3d ?? ?? ?? ?? e8 ?? ?? ?? ?? 49 89 c4 48 89 df e8 ?? ?? ?? ?? 48 89 cb 48 89 c7 48 89 d6 48 89 da e8 ?? ?? ?? ?? 49 89 c6 48 89 df e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? be 18 00 00 00 ba 07 00 00 00 48 8d 3d ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 89 c3 4c 89 6b 10 48 8d 05 ?? ?? ?? ?? 48 89 45 b0 48 89 5d b8 48 8b 05 ?? ?? ?? ?? 48 89 45 90 c7 45 98 00 00 00 42 c7 45 9c 00 00 00 00 0f 28 45 80 0f 11 45 a0 48 8d 7d 90 e8 ?? ?? ?? ?? 49 89 c7 4c 89 ef e8 ?? ?? ?? ?? 48 89 df e8 ?? ?? ?? ?? 48 8b 35 ?? ?? ?? ?? 4c 89 e7 4c 89 f2 4c 89 f9 e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 4c 89 f7 e8 ?? ?? ?? ?? 48 8b 3d ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 8b 35 ?? ?? ?? ?? 48 89 c7 f3 0f 7e 05 ?? ?? ?? ?? e8 ?? ?? ?? ?? ff 55 c8 a8 01 }
$a2 = { e8 ?? ?? ?? ?? 41 80 e7 01 44 88 78 10 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 89 4b 20 48 89 43 28 48 ?? ?? ?? ?? ?? ?? 48 89 03 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 66 48 0f 6e c0 48 ?? ?? ?? ?? ?? ?? 66 48 0f 6e c8 66 0f 6c c8 f3 0f 7f 4b 10 48 89 df e8 ?? ?? ?? ?? 49 89 c7 48 ?? ?? ?? e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 4c 89 e2 4c 89 f9 e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 4c 89 e7 e8 ?? ?? ?? ?? 4c 89 f7 4c 89 ee e8 ?? ?? ?? ?? }
$b1 = { 73 68 6f 77 50 72 65 66 65 72 65 6e 63 65 73 46 6f 72 45 78 74 65 6e 73 69 6f 6e 57 69 74 68 49 64 65 6e 74 69 66 69 65 72 3a 63 6f 6d 70 6c 65 74 69 6f 6e 48 61 6e 64 6c 65 72 3a }
$b2 = { 67 65 74 53 74 61 74 65 4f 66 53 61 66 61 72 69 45 78 74 65 6e 73 69 6f 6e 57 69 74 68 49 64 65 6e 74 69 66 69 65 72 3a 63 6f 6d 70 6c 65 74 69 6f 6e 48 61 6e 64 6c 65 72 3a }
$b3 = { 6d 61 63 62 75 69 6c 64 65 72 5f 62 75 69 6c 64 73 }
$b4 = { 4c 6f 63 61 6c 53 61 66 61 72 69 41 70 70 45 78 74 }
condition:
Macho and (filesize < 200KB) and (1 of ($a*)) and (all of ($b*))
}
rule XProtect_MACOS_e79dc35
{
strings:
$a = { 73 65 61 72 63 68 [2-12] 2e 61 6b 61 6d 61 69 68 64 2e 6e 65 74 2f }
$b = { 49 be 79 73 00 00 00 00 00 ea 49 ?? ?? ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d8 e8 ?? ?? ?? ?? be 02 00 00 00 4c 89 e7 e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 49 81 c6 f5 00 00 00 48 89 df 4c 89 ee 4c 89 f2 e8 ?? ?? ?? ?? 49 89 dd e8 ?? ?? ?? ?? 49 89 c7 41 ?? ?? ?? ?? 4c 89 e3 49 c7 c4 ff ff ff ff 49 d3 e4 49 f7 d4 4d 21 e7 4c 89 f8 48 c1 e8 06 48 ?? ?? ?? ?? 4c 0f a3 f8 0f 83 ?? ?? ?? ?? }
$c1 = { 4c 6f 63 61 6c 53 61 66 61 72 69 41 70 70 45 78 74 }
$c2 = { 6c 61 73 74 48 65 61 72 74 62 65 61 74 }
$c3 = { 65 78 74 65 6e 73 69 6f 6e 49 64 }
$c4 = { 75 73 65 72 47 75 69 64 }
$c5 = { 41 70 70 45 78 74 48 65 61 72 74 62 65 61 74 }
condition:
Macho and (filesize < 300KB) and ($a or $b) and (3 of ($c*))
}
rule XProtect_MACOS_d92d83c
{
meta:
description = "MACOS.d92d83c"
strings:
$a1 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4c 89 ff 41 ff d5 48 ?? ?? ?? c6 03 00 48 ?? ?? ?? ?? ?? ?? 4c 89 f6 41 ff d5 48 ?? ?? ?? ?? ?? ?? 48 89 c7 48 89 da 41 ff d5 48 89 c3 48 ?? ?? ?? ?? ?? ?? 4c 89 ff 48 89 da 41 ff d5 48 ?? ?? ?? ?? ?? ?? 4c 89 ff 41 ff d5 84 c0 74 ?? }
$a2 = { 73 75 64 6f 20 2d 53 20 65 63 68 6f 20 5f 5f 74 62 74 5f 74 72 75 65 20 32 3e 26 31 }
$a3 = { 4d 4d 5f 44 45 42 55 47 }
condition:
Macho and $a1 and ($a2 or $a3)
}
rule XProtect_MACOS_0e62876
{
meta:
description = "MACOS.0e62876"
strings:
$a = { 57 65 62 74 6f 6f 6c 73 43 6f 6e 66 69 67 }
$b = { 53 74 61 72 74 69 6e 67 20 70 72 6f 74 65 63 74 6f 72 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e }
$c = { 6a 73 46 72 6f 6d 41 70 70 6c 65 45 76 65 6e 74 73 45 6e 61 62 6c 65 64 }
condition:
Macho and all of them
}
rule XProtect_MACOS_de444f2
{
meta:
description = "MACOS.de444f2"
strings:
$a1 = { (48 | 49) 63 ?? 41 32 ?? ?? (88 8D ?? ?? ?? ?? 48 | 48) ?? ?? 74 ?? 88 ?? 48 ?? ?? ?? eb ?? }
$a2 = { 41 64 6d 69 6e 20 53 75 63 63 65 73 73 3a 20 25 40 }
$a3 = { 45 72 72 6f 72 3a 20 25 40 }
condition:
Macho and filesize < 250KB and all of them
}
rule XProtect_MACOS_b70290c
{
meta:
description = "MACOS.b70290c"
strings:
$a1 = { (48 | 49) 63 ?? 41 32 ?? ?? (88 8D ?? ?? ?? ?? 48 | 48) ?? ?? 74 ?? 88 ?? 48 ?? ?? ?? eb ?? }
$a2 = { 57 65 62 56 69 65 77 }
$a3 = { 4a 53 45 78 70 6f 72 74 }
condition:
Macho and filesize < 800KB and $a1 and ($a2 or $a3)
}
rule XProtect_MACOS_22d71e9
{
meta:
description = "MACOS.22d71e9"
strings:
$a1 = { (48 | 49) 63 ?? 41 32 ?? ?? (88 8D ?? ?? ?? ?? 48 | 48) ?? ?? 74 ?? 88 ?? 48 ?? ?? ?? eb ?? }
$a2 = { 57 65 62 56 69 65 77 }
$a3 = { 4a 53 45 78 70 6f 72 74 }
$a4 = { 25 34 64 2d 25 32 64 2d 25 32 64 54 25 32 64 3a 25 32 64 3a 25 32 64 5a }
condition:
Macho and filesize < 500KB and $a1 and #a2 == 0 and #a3 == 0 and $a4
}
rule XProtect_MACOS_6175e25
{
meta:
description = "MACOS.6175e25"
strings:
$a1 = { 00 25 40 25 40 25 40 25 40 00 25 63 00 }
$a2 = { 64 65 6c 65 74 65 41 70 70 42 79 53 65 6c 66 }
$a3 = { 65 6e 63 72 79 70 74 44 65 63 72 79 70 74 4f 70 65 72 61 74 69 6f 6e }
$a4 = { 45 6e 63 6f 64 65 44 65 63 6f 64 65 4f 70 73 }
$a5 = { 63 72 65 61 74 46 69 6c 65 4f 6e 54 65 6d 70 3a 73 63 72 70 4e 61 6d 65 3a }
condition:
Macho and all of ($a*) and filesize < 200KB
}
rule XProtect_MACOS_d1e06b8
{
meta:
description = "MACOS.d1e06b8"
strings:
$a1 = { 2f 00 2f 00 2a 00 45 00 72 00 72 00 6f 00 72 00 43 00 6f 00 64 00 65 00 2a 00 5c 00 5c 00 }
$a2 = { 28 00 3c 00 5e 00 5e 00 5e 00 5e 00 3e 00 29 00 }
$a3 = { 74 72 61 63 6b 69 6e 67 58 4d 4c }
$a4 = { 41 00 6c 00 6c 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 65 00 64 00 41 00 70 00 70 00 73 00 }
$a5 = { 6f 66 66 65 72 5f 70 61 72 61 6d 65 74 65 72 }
$a6 = { 6f 00 66 00 66 00 65 00 72 00 5f 00 69 00 64 00 }
condition:
PE and all of ($a*) and filesize < 200KB
}
rule XProtect_OSX_28a9883
{
meta:
description = "OSX.28a9883"
strings:
$a1 = { 3A 6C 61 62 65 6C 3A 70 6C 69 73 74 50 61 74 68 3A }
$a2 = { 3A 62 69 6E 3A 70 6C 69 73 74 3A }
$a3 = { 21 40 23 24 7E 5E 26 2A 28 29 5B 5D 7B 7D 3A 3B 3C 3E 2C 2E 31 71 32 77 33 65 34 72 35 74 36 79 37 75 38 69 39 6F 30 70 41 5A 53 58 44 43 46 56 47 42 48 4E 4A 4D 4B 4C 51 57 45 52 54 59 55 49 }
condition:
Macho and all of ($a*)
}
rule XProtect_OSX_Bundlore_D
{
meta:
description = "OSX.Bundlore.D"
strings:
$a1 = { 20 00 65 00 63 00 68 00 6F 00 20 00 }
$a2 = { 20 00 7C 00 20 00 6F 00 70 00 65 00 6E 00 73 00 73 00 6C 00 20 00 65 00 6E 00 63 00 20 00 2D 00 61 00 65 00 73 00 2D 00 32 00 35 00 36 00 2D 00 63 00 66 00 62 00 20 00 2D 00 70 00 61 00 73 00 73 00 20 00 70 00 61 00 73 00 73 00 3A }
$a3 = { 00 2D 00 73 00 61 00 6C 00 74 00 20 00 2D 00 41 00 20 00 2D 00 61 00 20 00 2D 00 64 00 20 00 7C 00 20 00 62 00 61 00 73 00 68 00 20 00 2D 00 73 }
$b1 = { 46 61 73 64 55 41 53 }
condition:
$b1 at 0 and all of ($a*) and filesize <= 3000
}
rule XProtect_OSX_Particle_Smasher_A
{
meta:
description = "OSX.ParticleSmasher.A"
strings:
$a1 = { 63 6F 75 6C 64 6E 27 74 20 6F 70 65 6E 20 74 68 65 20 64 62 00 }
$a2 = { 25 40 2F 4F 50 45 52 41 2E 7A 69 70 00 }
$a3 = { 25 40 2F 43 48 52 4F 4D 45 5F 25 40 2E 7A 69 70 00 }
$a4 = { 25 40 2F 53 41 46 41 52 49 2E 7A 69 70 00 }
$a5 = { 25 40 2F 46 49 52 45 46 4F 58 5F 25 40 2E 7A 69 70 00 }
$a6 = { 63 70 20 25 40 2F 70 6C 61 63 65 73 2E 73 71 6C 69 74 65 20 25 40 2F 70 6C 61 63 65 73 2E 73 71 6C 69 74 65 2E 64 75 6D 70 00 }
$a7 = { 63 70 20 25 40 2F 48 69 73 74 6F 72 79 20 25 40 2F 48 69 73 74 6F 72 79 2E 64 75 6D 70 00 }
condition:
Macho and filesize < 450000 and all of ($a*)
}
rule XProtect_OSX_HiddenLotus_A
{
meta:
description = "OSX.HiddenLotus.A"
strings:
$a1 = { 00 2F 00 25 6C 64 00 00 00 00 00 00 00 00 00 00 00 }
$a2 = { 00 72 62 00 00 20 26 00 00 00 00 00 00 00 }
$a3 = { 00 25 64 00 20 32 3E 26 31 00 72 00 0D 0A 00 00 }
$a4 = { 00 25 30 32 78 00 00 00 00 00 00 00 }
$a5 = { 00 3D 00 3B 00 00 00 }
condition:
Macho and all of ($a*) and filesize < 180000
}
rule XProtect_OSX_Mughthesec_B
{
meta:
description = "OSX.Mughthesec.B"
strings:
$a1 = { 42 75 6E 64 6C 65 4D 65 55 70 }
$a2 = { 50 75 62 6C 69 73 68 65 72 4F 66 66 65 72 53 74 61 74 65 }
$a3 = { 49 6E 73 74 61 6C 6C 50 72 6F 67 72 65 73 73 53 74 61 74 65 }
$a4 = { 41 64 76 65 72 74 69 73 65 72 4F 66 66 65 72 53 74 61 74 65 }
$b1 = { 42 65 72 54 61 67 67 65 64 44 61 74 61 }
$b2 = { 42 45 52 50 72 69 6E 74 56 69 73 69 74 6F 72 }
condition:
Macho and filesize < 3000000 and all of them
}
rule XProtect_OSX_HMining_D
{
meta:
description = "OSX.HMining.D"
strings:
$a1 = { 72 ?? 75 ?? 6E ?? 41 ?? 6C ?? 6C ?? 41 ?? 70 ?? 70 }
$a2 = { 66 ?? 69 ?? 72 ?? 65 ?? 46 ?? 6F ?? 78 ?? 53 ?? 65 ?? 74 ?? 4E ?? 74 ?? 53 ?? 70 }
$a3 = { 53 ?? 61 ?? 66 ?? 61 ?? 72 ?? 69 ?? 2E ?? 61 ?? 70 ?? 70 }
$a4 = { 63 ?? 6F ?? 6D ?? 2E ?? 61 ?? 70 ?? 70 ?? 6C ?? 65 ?? 2E ?? 53 ?? 61 ?? 66 ?? 61 ?? 72 ?? 69 }
$a5 = { 63 ?? 6F ?? 6D ?? 2E ?? 61 ?? 70 ?? 70 ?? 6C ?? 65 ?? 2E ?? 71 ?? 75 ?? 61 ?? 72 ?? 61 ?? 6E ?? 74 ?? 69 ?? 6E ?? 65 }
condition:
Macho and filesize <= 2000000 and all of ($a*)
}
rule XProtect_Bundlore_B
{
meta:
description = "OSX.Bundlore.B"
strings:
$a1 = { 46 61 73 64 55 41 53 }
$b1 = { 69 00 66 00 20 00 5B 00 5B 00 20 00 22 00 24 00 7B 00 6F 00 73 00 76 00 65 00 72 00 7D 00 22 00 20 00 3D 00 3D 00 20 00 2A 00 22 00 31 00 30 00 2E 00 31 00 32 00 22 00 2A 00 20 00 5D 00 5D 00 3B 00 20 00 74 00 68 00 65 00 6E 00 20 00 76 00 65 00 72 00 46 00 6F 00 6C 00 64 00 65 00 72 00 3D 00 22 00 53 00 69 00 65 00 72 00 72 00 61 00 2F 00 22 00 3B 00 20 00 66 00 69 00 3B 00 0A 00 20 00 20 00 20 00 20 00 63 00 75 00 72 00 6C 00 20 00 2D 00 73 00 4C 00 20 00 2D 00 6F 00 20 00 22 00 24 00 7B 00 54 00 4D 00 50 00 44 00 49 00 52 00 7D 00 }
$b2 = { 20 00 20 00 20 00 20 00 63 00 68 00 6D 00 6F 00 64 00 20 00 2B 00 78 00 20 00 22 00 24 00 7B 00 54 00 4D 00 50 00 44 00 49 00 52 00 7D 00 2F 00 }
$b3 = { 20 00 72 00 6D 00 20 00 2D 00 72 00 66 00 20 00 22 00 24 00 7B 00 54 00 4D 00 50 00 44 00 49 00 52 00 7D 00 2F 00 6D 00 6D 00 5F 00 73 00 74 00 75 00 62 00 22 00 }
condition:
$a1 at 0 and all of ($b*) and filesize <= 3000
}
rule XProtect_OSX_AceInstaller_B
{
meta:
description = "OSX.AceInstaller.B"
strings:
$a1 = { 41 63 65 49 6E 73 74 61 6C 6C 65 72 }
$a2 = { 73 65 74 4F 66 66 65 72 73 4C 61 62 65 6C }
$b1 = { 2F 74 6D 70 2F 70 73 63 72 2E 73 68 }
$b2 = { 2F 74 6D 70 2F 4F 66 66 65 72 25 6C 64 2E 73 68 }
$b3 = { 2F 74 6D 70 2F 6D 73 63 72 2E 73 68 }
condition:
Macho and filesize < 250000 and
$a1 or $a2 and
all of ($b*)
}
rule XProtect_AdLoad_B_2 : dropper
{
meta:
description = "OSX.AdLoad.B.2"
strings:
$a1 = {48 8B ?? ?? ?? ?? ?? 48 8D 5D B8 48 89 03 C7 43 08 00 00 00 C2 C7 43 0C 00 00 00 00 48 8D ?? ?? ?? ?? ?? 48 89 43 10 48 8D ?? ?? ?? ?? ?? 48 89 43 18 4C 89 F7 ?? ?? ?? ?? ?? ?? 48 89 43 20 4C 89 FF 48 89 DE ?? ?? ?? ?? ?? 4C 89 FF ?? ?? ?? 48 8B 7B 20 ?? ?? ??
48 83 C4 30}
$b1 = {67 65 74 53 61 66 61 72 69 56 65 72 73 69 6F 6E}
condition:
Macho and filesize < 300000 and $a1 and $b1
}
rule XProtect_AdLoad_B_1
{
meta:
description = "OSX.AdLoad.B.1"
strings:
$a1 = {73 65 74 49 6E 73 74 61 6C 6C 46 69 6E 69 73 68 65 64 54 65 78 74}
$a2 = {73 65 74 46 69 6E 69 73 68 54 69 63 6B 49 6D 61 67 65 56 69 65 77}
$a3 = {4F 66 66 65 72 43 6F 6E 74 72 6F 6C 6C 65 72}
$a4 = {26 4F 46 46 45 52 5F 49 44 3D 25 40}
condition:
Macho and filesize < 400000 and (all of ($a*))
}
rule XProtect_AdLoad_A
{
meta:
description = "OSX.AdLoad.A"
strings:
$a1 = {73 65 74 4F 66 66 65 72 55 72 6C}
$a2 = {73 65 74 4F 66 66 65 72 50 61 74 68}
$a3 = {73 65 74 4F 66 66 65 72 4E 61 6D 65}
$a4 = {2F 74 6D 70 2F 50 72 6F 64 75 63 74 2E 64 6D 67}
condition:
Macho and filesize < 40000 and (all of ($a*))
}
rule XProtect_OSX_Mughthesec_A
{
meta:
description = "OSX.Mughthesec.A"
strings:
$a1 = { 54 52 4D 43 5F 49 6E 73 74 61 6C 6C 5F 53 74 61 72 74 5F 31 }
$a2 = { 66 61 6C 6C 62 61 63 6B 44 6D 67 4E 61 6D 65 }
$a3 = { 66 61 6C 6C 62 61 63 6B 49 6E 73 74 61 6C 6C 65 72 4E 61 6D 65 }
$a4 = { 6F 66 66 65 72 53 63 72 65 65 6E 55 72 6C }
$b1 = { 42 65 72 54 61 67 67 65 64 44 61 74 61 }
$b2 = { 42 45 52 50 72 69 6E 74 56 69 73 69 74 6F 72 }
condition:
Macho and filesize < 3000000 and all of them
}
rule XProtect_OSX_Leverage_A
{
meta:
description = "OSX.Leverage.A"
strings:
$a1 = { FF 65 63 68 6F 20 27 3C 3F 78 6D 6C 20 }
$a2 = { 72 62 66 72 61 6D 65 77 6F 72 6B 2E 64 79 6C 69 62 }
$a3 = { 3? 6C 61 75 6E 63 68 63 74 6C 20 6C 6F 61 64 20 7E 2F 4C 69 62 72 61 72 79 2F 4C 61 75 6E 63 68 41 67 65 6E 74 73 }
$a4 = { 6D 6B 64 69 72 20 7E 2F 4C 69 62 72 61 72 79 2F 4C 61 75 6E 63 68 41 67 65 6E 74 73 }
$b1 = { 6D 57 61 69 74 46 6F 72 54 68 69 73 43 6F 6D 6D 61 6E 64 }
$b2 = { 6D 57 61 69 74 69 6E 67 46 6F 72 41 43 6F 6D 6D 61 6E 64 }
condition:
Macho and filesize < 3000000 and all of them
}
rule XProtect_OSX_ATG15_B
{
meta:
description = "OSX.ATG15.B"
xprotect_rule = true
strings:
$a1 = { 80 7C 39 3C 32 BA BB 80 F3 B9 B4 34 B8 34 39 80 }
$a2 = { FC BF 34 BA 7C BA 34 36 B9 BC BA 3C 80 7C 39 3C }
$a3 = { 32 BA BB 76 BA 34 3C B9 BF B7 8F 30 B3 B9 3C 32 }
$b1 = { 9C 85 89 27 8B 9C 85 89 27 8B 9C 85 89 27 8B 9C }
condition:
Macho and filesize < 200KB and all of them
}
rule XProtect_OSX_Genieo_G
{
meta:
description = "OSX.Genieo.G"
strings:
$a1 = {67 65 74 53 61 66 61 72 69 48 69 73 74 6F 72 79}
$a2 = {73 65 6c 65 63 74 20 63 6f 75 6e 74 28 2a 29 20 66 72 6f 6d 20 6d 6f 7a 5f 68 69 73 74 6f 72 79 76 69 73 69 74 73}
$a3 = {53 46 45 58 54 46 69 6c 65 4d 61 6e 61 67 65 72}
condition:
Macho and filesize < 2000000 and (all of ($a*))
}
rule XProtect_Genieo_G_1
{
meta:
description = "OSX.Genieo.G.1"
strings:
$b1 = {69 6e 73 74 61 6c 6c 5f 75 72 6c 5f 73 75 66 66 69 78}
$b2 = {76 65 72 5f 64 61}
$b3 = {6f 66 66 65 72 5f 69 64}
condition:
Macho and filesize < 2000000 and all of them
}
rule XProtect_OSX_Proton_B
{
meta:
description = "OSX.Proton.B"
condition:
Macho and filesize < 800000 and hash.sha1(0, filesize) == "a8ea82ee767091098b0e275a80d25d3bc79e0cea"
}
rule XProtect_OSX_Dok_B
{
meta:
description = "OSX.Dok.B"
strings:
$a1 = {53 65 6C 66 49 6E 73 74 61 6C 6C}
$a2 = {49 73 4C 6F 67 69 6E 53 63 72 69 70 74 45 78 69 73 74 73}
$a3 = {41 64 64 4C 6F 67 69 6E 53 63 72 69 70 74}
$b1 = {49 79 45 76 64 58 4E 79 4C 32 4A 70 62 69 39 6C 62 6E 59 67 63 48 6C 30 61 47 39 75 43 69 4D 67 4C 53 6F 74 49 47 4E 76 5A 47 6C 75 5A 7A 6F 67 64 58 52 6D 4C 54 67 67 4C 53 6F 74 43 6D 6C 74 63}
condition:
Macho and filesize < 600000 and filesize > 10000 and all of them
}
rule XProtect_OSX_Dok_A
{
meta:
description = "OSX.Dok.A"
strings:
$a1 = {55 70 64 61 74 65 73}
$a2 = {49 6E 73 74 61 6C 6C 54 6F 72}
$b1 = {49 6E 73 74 61 6C 6C 43 65 72 74}
$b2 = {62 61 73 65 36 34 20 2D 69 20 25 40}
condition:
Macho and filesize < 100000 and all of them
}
rule OSX_Bundlore_A
{
meta:
description = "OSX.Bundlore.A"
strings:
$a1 = { 4F 66 66 65 72 73 49 6E 73 74 61 6C 6C 53 63 72 69 70 74 55 72 6C }
$a2 = { 53 6F 66 74 77 61 72 65 49 6E 73 74 61 6C 6C 53 63 72 69 70 74 55 72 6C }
$a3 = { 63 6F 6D 2E 67 6F 6F 67 6C 65 2E 43 68 72 6F 6D 65 }
$a4 = { 2E 74 6D 70 6D 61 }
$a5 = { 50 6C 65 61 73 65 20 77 61 69 74 20 77 68 69 6C 65 20 79 6F 75 72 20 73 6F 66 74 77 61 72 65 20 69 73 20 62 65 69 6E 67 20 69 6E 73 74 61 6C 6C 65 64 2E 2E 2E }
condition:
filesize < 500000 and Macho and 4 of ($a*)
}
rule OSX_Findzip_A {
meta:
description = "OSX.Findzip.A"
strings:
$a = {54 6b 39 55 49 46 6c 50 56 56 49 67 54 45 46 4f 52 31 56 42 52 30 55 2f 49 46 56 54 52 53 42 6f 64 48 52 77 63 7a 6f 76 4c 33 52 79 59 57 35 7a 62 47 46 30 5a 53 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 44 51 6f 4e 43 6c 64 6f 59 58 51 67 61 47 46 77 63 47 56 75 5a 57 51 67 64 47 38 67 65 57 39 31 63 69 42 6d 61 57 78 6c 63 79 41 2f 44 51 70}
$b1 = {2f 75 73 72 2f 62 69 6e 2f 66 69 6e 64}
$b2 = {7b 7d 2e 63 72 79 70 74}
$b3 = {52 45 45 41 44 4d 45 21 2e 74 78 74}
$b4 = {2f 75 73 72 2f 62 69 6e 2f 64 69 73 6b 75 74 69 6c}
condition:
filesize < 100000 and Macho and ($a or (all of ($b*)))
}
rule OSX_Proton_A
{
meta:
description = "OSX.Proton.A"
strings:
$a1 = {4E 65 74 77 6F 72 6B 20 43 6F 6E 66 69 67 75 72 61 74 69 6F 6E 20 6E 65 65 64 73 20 74 6F 20 75 70 64 61 74 65 20 44 48 43 50 20 73 65 74 74 69 6E 67 73 2E 20 54 79 70 65 20 79 6F 75 72 20 70 61 73 73 77 6F 72 64 20 74 6F 20 61 6C 6C 6F 77 20 74 68 69 73 2E}
$a2 = {49 6E 73 74 61 6C 6C 65 72 20 77 61 6E 74 73 20 74 6F 20 6D 61 6B 65 20 63 68 61 6E 67 65 73 2E 20 54 79 70 65 20 79 6F 75 72 20 70 61 73 73 77 6F 72 64 20 74 6F 20 61 6C 6C 6F 77 20 74 68 69 73}
$b1 = {66 69 6C 65 5F 75 70 6C 6F 61 64}
$b2 = {73 73 68 5F 74 75 6E 6E 65 6C}
$b3 = {64 6F 77 6E 6C 6F 61 64 5F 66 69 6C 65}
$b4 = {65 78 65 63 5F 70 75 73 68}
$b5 = {66 76 5F 61 63 74 69 6F 6E}
condition:
Macho and filesize < 200000 and all of ($b*) and any of ($a*)
}
rule OSX_XAgent_A
{
meta:
description = "OSX.XAgent.A"
strings:
$a = {49 0F BE 14 07 41 8D 45 FD 49 0F BE 34 07 41 8D 7D FF 41 8D 45 FE 49 0F BE 1C 07 48 83 FB 3D B8 00 00 00 00 B9 01 00 00 00 74 0A 42 0F B6 04 33 B9 02 00 00 00 42 8A 1C 32 42 0F B6 34 36 89 FA 49 0F BE 3C 17 45 31 C0 48 83 FF 3D 74 0E 46 0F B6 04 37 41 83 E0 3F B9 03 00 00 00 C0 E3 02 40 88 F2 C0 EA 04 80 E2 03 08 DA 88 55 D5 C1 E6 04 89 C2 C1 EA 02 83 E2 0F 09 F2 88 55 D6 C1 E0 06 44 09 C0 88 45 D7 4C 89 E7}
$s1 = {53 45 4C 45 43 54 20 68 6F 73 74 6E 61 6D 65 2C 20 65 6E 63 72 79 70 74 65 64 55 73 65 72 6E 61 6D 65 2C 20 65 6E 63 72 79 70 74 65 64 50 61 73 73 77 6F 72 64}
$s2 = {72 6D 20 2D 72 66 20 25 40 2F 4C 69 62 72 61 72 79 2F 41 73 73 69 73 74 61 6E 74 73 2F 2E 6C 6F 63 61 6C 2F}
condition:
Macho and filesize < 400000 and ((all of ($s*)) and $a)
}
rule OSX_iKitten_A
{
meta:
description = "OSX.iKitten.A"
strings:
$a = {48 83 F8 00 48 89 85 C0 FE FF FF 0F 84 FC 01 00 00 31 C0 89 C1 48 8D 95 F0 FE FF FF 48 83 C2 10 48 8B B5 00 FF FF FF 48 8B 36 48 8B BD C0 FE FF FF 48 89 B5 B8 FE FF FF 48 89 95 B0 FE FF FF 48 89 8D A8 FE FF FF 48 89 BD A0 FE FF FF 48 8B 85 A0 FE FF FF 48 8B 8D A8 FE FF FF 48 8B 95 B0 FE FF FF 48 8B 32 48 8B BD B8 FE FF FF 48 39 3E 48 89 85 98 FE FF FF 48 89 8D 90 FE FF FF 0F 84 0F 00 00 00 48 8B 85 C8 FE FF FF 48 89 C7}
$b = {48 89 45 E0 48 8B 3D 80 38 03 00 48 8B 35 E9 33 03 00 41 B8 04 00 00 00 44 89 C1 45 31 C0 44 89 C2 48 89 55 C0 48 89 C2 48 89 4D B8 4C 8B 45 C0 48 8B 45 C8 ?? ?? 48 89 C7 ?? ?? ?? ?? ?? 48 89 45 D8 48 8B 35 4A 34 03 00 48 8D 15 13 18 03 00 48 8D 0D 6C 17 03 00 48 89 C7 48 8B 45 C8 ?? ?? 48 89 C7}
$s1 = {69 66 20 63 61 74 20 2F 65 74 63 2F 72 63 2E 63 6F 6D 6D 6F 6E 20 7C 20 67 72 65 70 20 25 40 3B}
$s2 = {7A 69 70 20 2D 72 20 2D 6A 20 25 40 20 25 40}
condition:
Macho and filesize < 400000 and $a and $b and (all of ($s*))
}
rule OSX_HMining_C
{
meta:
description = "OSX.HMining.C"
strings:
$a1 = {55 48 89 E5 41 57 41 56 53 50 4C 8B 7F 48 4C 8B 77 50 48 8B 5F 58 48 89 DF ?? ?? ?? ?? ?? 4C 89 FF 4C 89 F6 48 89 DA ?? ?? ?? ?? ?? 48 89 C7 48 83 C4 08 5B 41 5E 41 5F 5D}
$a2 = {55 48 89 E5 41 57 41 56 41 54 53 41 89 CE 48 89 D3 48 89 DF ?? ?? ?? ?? ?? 48 89 DF ?? ?? ?? ?? ?? 48 89 CB 48 89 C7 48 89 D6 48 89 DA 44 89 F1 ?? ?? ?? ?? ?? 49 89 C6 49 89 D7 49 89 CC 48 89 DF ?? ?? ?? ?? ?? 4C 89 F7 4C 89 FE 4C 89 E2 ?? ?? ?? ?? ?? 48 89 C7 5B 41 5C 41 5E 41 5F 5D}
condition:
Macho and filesize <= 600000 and
all of ($a*)
}
rule HMiningB
{
meta:
description = "OSX.HMining.B"
strings:
$a1 = {48 89 C7 41 FF D6 48 89 85 E8 FE FF FF 0F 57 C0 0F 29 85 40 FF FF FF 0F 29 85 30 FF FF FF 0F 29 85 20 FF FF FF 0F 29 85 10 FF FF FF ?? ?? ?? ?? ?? ?? ?? 48 8D 95 10 FF FF FF 48 8D 8D 50 FF FF FF 41 B8 10 00 00 00 48 89 C7 41 FF D6 48 89 85 08 FF FF FF 48 85 C0 B8 00 00 00 00 48 89 85 D8 FE FF FF 0F 84 44 01 00 00 48 8B 85 20 FF FF FF 48 8B 00 48 89 85 F8 FE FF FF}
$a2 = {48 89 DF ?? ?? ?? 49 89 C4 4C 89 65 B8 ?? ?? ?? ?? ?? ?? ?? BA 04 00 00 00 4C 89 F7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 89 C7 ?? ?? ?? 48 89 45 C8 ?? ?? ?? ?? ?? ?? ?? 48 89 DF 41 FF D7 4C 89 F9 48 85 C0 74 59 ?? ?? ?? ?? ?? ?? ?? 45 31 FF 45 31 F6 4C 8B 6D C8 41 8A 45 00 43 30 04 3C 49 FF C5 41 FF C6 4D 63 F6 48 8B 7D C0 48 89 DE 49 89 CC 41 FF D4 49 39 C6 4C 0F 44 6D C8 B8 00 00 00 00 44 0F 44 F0 49 FF C7 48 8B 7D D0 48 89 DE 41 FF D4 4C 89 E1 4C 8B 65 B8 49 39 C7 72 B8 48 8B 45 D0 48 83 C4 28 5B 41 5C 41 5D 41 5E 41 5F 5D C3 }
condition:
Macho and filesize <= 500000 and all of ($a*)
}
rule NetwireA
{
meta:
description = "OSX.Netwire.A"
strings:
$a = { 03 04 15 1A 0D 0A 65 78 69 74 0D 0A 0D 0A 65 78 69 74 0A 0A 00 }
$b = { 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 33 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 65 63 6B 6F 0D 0A 41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 74 6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 6D 6C 3B 71 3D 30 2E 39 2C 69 6D 61 67 65 2F 77 65 62 70 2C 2A 2F 2A 3B 71 3D 30 2E 38 }
condition:
all of them
}
rule BundloreB
{
meta:
description = "OSX.Bundlore.B"
strings:
$a = {5F 5F 4D 41 5F 41 70 70 44 65 6C 65 67 61 74 65}
$b = {5F 5F 4D 41 5F 44 65 74 65 63 74 65 64 50 72 6F 64 75 63 74 73 48 61 6E 64 6C 65 72}
$c = {5F 5F 4D 41 5F 44 6D 67 53 6F 75 72 63 65 52 65 61 64 65 72}
condition:
2 of ($a,$b,$c)
}
rule EleanorA
{
meta:
description = "OSX.Eleanor.A"
condition:
filesize <= 3500 and uint8(0) == 0x23 and
(
hash.sha1(0, filesize) == "de642751e96b8c53744f031a6f7e929d53226321" or
hash.sha1(0, filesize) == "1f782e84ddbf5fd76426f6f9bf3d4238d2ec9a4b"
)
}
rule HMining_Binary_A
{
meta:
description = "OSX.HMining.A"
strings:
$a = {68 69 64 65 4F 70 65 72 61 74 6F 72 57 69 64 6F 77 41 66 74 65 72 41 64 6D 69 6E}
$b = {48 8B 85 98 FE FF FF 48 89 44 24 38 48 8B 85 90 FE FF FF 48 89 44 24 30 48 8B 85 80 FE FF FF 48 8B 8D 88 FE FF FF 48 89 4C 24 28 48 89 44 24 20 48 8B 85 00 FF FF FF 48 89 44 24 18 48 8B 85 F8 FE FF FF 48 89 44 24 10 48 8B 85 E8 FE FF FF 48 8B 8D F0 FE FF FF 48 89 4C 24 08 48 89 04 24}
$c = {61 6C 6C 43 6F 6D 70 65 74 69 74 6F 72 73 41 67 65 6E 74 44 65 6D 6F 6E 64}
$d = {63 72 65 61 74 65 41 6E 64 4C 6F 61 64 41 67 65 6E 74 50 6C 69 73 74 50 61 74 68 3A 61 67 65 6E 74 50 6C 69 73 74 4E 61 6D 65 3A 61 67 65 6E 74 50 6C 69 73 74 4B 65 79 41 72 72 3A 61 67 65 6E 74 50 6C 69 73 74 56 61 6C 41 72 72 3A 69 73 41 64 6D 69 6E 3A}
condition:
Macho and (($a and $b) or ($c and $d))
}
rule TroviProxyApp
{
meta:
description = "OSX.Trovi.A"
strings:
$a = {72 65 63 65 69 76 69 6E 67 57 65 62 73 69 74 65 53 74 61 72 74 65 64}
$b = {68 74 6D 6C 49 6E 6A 65 63 74 65 64}
condition:
Macho and ($a and $b)
}
rule HMining
{
meta:
description = "OSX.Hmining.A"
strings:
$a = {68 69 64 65 4F 70 65 72 61 74 6F 72 57 69 64 6F 77 41 66 74 65 72 41 64 6D 69 6E}
$b = {48 8B 85 98 FE FF FF 48 89 44 24 38 48 8B 85 90 FE FF FF 48 89 44 24 30 48 8B 85 80 FE FF FF 48 8B 8D 88 FE FF FF 48 89 4C 24 28 48 89 44 24 20 48 8B 85 00 FF FF FF 48 89 44 24 18 48 8B 85 F8 FE FF FF 48 89 44 24 10 48 8B 85 E8 FE FF FF 48 8B 8D F0 FE FF FF 48 89 4C 24 08 48 89 04 24}
condition:
Macho and ($a and $b)
}
rule BundloreA
{
meta:
description = "OSX.Bundlore.A"
strings:
$a = {5F 5F 6D 6D 5F 67 65 74 49 6E 6A 65 63 74 65 64 50 61 72 61 6D 73}
$b = {5F 5F 6D 6D 5F 72 75 6E 53 68 65 6C 6C 53 63 72 69 70 74 41 73 52 6F 6F 74}
condition:
Macho and ($a and $b)
}
rule GenieoE
{
meta:
description = "OSX.Genieo.E"
strings:
$a = {47 4E 53 69 6E 67 6C 65 74 6F 6E 47 6C 6F 62 61 6C 43 61 6C 63 75 6C 61 74 6F 72}
$b = {47 4E 46 61 6C 6C 62 61 63 6B 52 65 70 6F 72 74 48 61 6E 64 6C 65 72}
condition:
Macho and ($a and $b)
}
rule OSX_ExtensionsInstaller_A
{
meta:
description = "OSX.ExtensionsInstaller.A"
strings:
$a1 = {72 65 6D 6F 76 65 58 61 74 74 72 54 6F}
$a2 = {67 65 74 43 72 79 70 74 65 64 44 61 74 61 46 72 6F 6D 55 72 6C}
$a3 = {67 65 74 42 65 73 74 4F 66 66 65 72 43 6F 6E 66 69 67 3A 61 63 63 65 70 74 65 64 4F 66 66 65 72 73}
$b1 = {53 61 66 61 72 69 45 78 74 65 6E 73 69 6F 6E 49 6E 73 74 61 6C 6C 65 72}
$b2 = {54 61 72 43 6F 6D 70 72 65 73 73 6F 72}
condition:
Macho and filesize < 2500000 and all of them
}
rule InstallCoreA
{
meta:
description = "OSX.InstallCore.A"
strings:
$a = {C6 45 A0 65 C6 45 A1 52 C6 45 A2 4A C6 45 A3 50 C6 45 A4 5B C6 45 A5 57 C6 45 A6 72 C6 45 A7 48 C6 45 A8 53 C6 45 A9 5D C6 45 AA 25 C6 45 AB 33 C6 45 AC 42 C6 45 A0 53 B8 01 00 00 00}
$b = {49 89 DF 48 89 C3 FF D3 4C 89 EF FF D3 48 8B 7D B0 FF D3 48 8B 7D B8 FF D3 4C 89 FF FF D3 4C 8B 6D C0 48 8B 7D A8}
$c = {49 43 4A 61 76 61 53 63 72 69 70 74 45 6E 76 69 72 6F 6E 6D 65 6E 74 49 6E 66 6F}
condition:
Macho and ($a or $b or $c)
}
rule KeRangerA
{
meta:
description = "OSX.KeRanger.A"
strings:
$a = {48 8D BD D0 EF FF FF BE 00 00 00 00 BA 00 04 00 00 31 C0 49 89 D8 ?? ?? ?? ?? ?? 31 F6 4C 89 E7 ?? ?? ?? ?? ?? 83 F8 FF 74 57 C7 85 C4 EB FF FF 00 00 00 00}
condition:
Macho and $a
}
rule CrossRiderA : adware
{
meta:
description="OSX.CrossRider.A"
strings:
$a = {E9 00 00 00 00 48 8B 85 00 FE FF FF 8A 08 88 8D 5F FE FF FF 0F BE 95 5F FE FF FF 83 C2 D0 89 55 E0 48 8B B5 60 FE FF FF 48 8B BD 40 FE FF FF}
condition:
Macho and $a
}
rule GenieoDropper
{
meta:
description = "OSX.GenieoDropper.A"
strings:
$a = {66756E6374696F6E204163636570744F666665727328297B}
$b = {747261636B416E616C79746963734576656E742822657865637574696F6E222C224A7352756E22293B}
condition:
$a and $b
}
rule XcodeGhost
{
meta:
description = "OSX.XcodeGhost.A"
strings:
$a = {8346002008903046 [0-1000] 082108A800910021019101210296032203955346CDF810B0059406900120}
$b = {8346002007902046 [0-1000] 082107A8009100210DF10409032289E8320801214346059606900120}
$c = {8346002007903046 [0-1000] 082107A800910021019101210296032203955346CDF810B0059406900020}
condition:
Macho and ($a or $b or $c)
}
rule GenieoD
{
meta:
description = "OSX.Genieo.D"
strings:
$a = {49 89 C4 0F 57 C0 0F 29 85 80 FE FF FF 0F 29 85 70 FE FF FF 0F 29 85 60 FE FF FF 0F 29 85 50 FE FF FF 41 B8 10 00 00 00 4C 89 E7 48 8B B5 40 FE FF FF 48 8D 95 50 FE FF FF 48}
$b = {F2 0F 59 C1 F2 0F 5C D0 F2 0F 11 55 B8 0F 28 C2 F2 0F 10 55 D8 F2 0F 10 5D C8 F2 0F 58 DA F2 0F 59 D1 F2 0F 5C DA F2 0F 11 5D B0 0F 28 CB 31 FF BE 05 00 00 00 31 D2}
$c = {49 6E 73 74 61 6C 6C 4D 61 63 41 70 70 44 65 6C 65 67 61 74 65}
condition:
($a or $b) and $c
}
rule GenieoC
{
meta:
description = "OSX.Genieo.C"
condition:
Macho and filesize <= 500000 and
hash.sha1(0, filesize) == "a3e827031f1466444272499ef853484bac1eb90b"
}
rule GenieoB
{
meta:
description = "OSX.Genieo.B"
condition:
Macho and filesize <= 600000 and
(hash.sha1(0, filesize) == "495735da5fb582b93d90fff2c8b996d25e21aa31" or hash.sha1(0, filesize) == "0e196c0677bf6f94411229defc94639dd1b62b76")
}
rule VindinstallerA
{
meta:
description = "OSX.Vindinstaller.A"
condition:
Macho and filesize <= 1200000 and
hash.sha1(0, filesize) == "c040eee0f0d06d672cbfca94f2cbfc19795dd98d"
}
rule OpinionSpyB
{
meta:
description = "OSX.OpinionSpy.B"
condition:
filesize <= 9000000 and hash.sha1(0, filesize) == "a0d0b9d34f07c7d99852b9b833ba8f472bb56516"
}
rule GenieoA
{
meta:
description = "OSX.Genieo.A"
condition:
Macho and filesize <= 400000 and
hash.sha1(0, filesize) == "d07341c08173d0e885e6cafd7d5c50ebde07b205"
}
rule InstallImitatorC
{
meta:
description = "OSX.InstallImitator.C"
condition:
Macho and filesize <= 400000 and
hash.sha1(0, filesize) == "eeac1275e018e886b3288daae7b07842aec57efd"
}
rule InstallImitatorB
{
meta:
description = "OSX.InstallImitator.B"
strings:
$a = {4989C64C89FF41FFD44889DF41FFD4488B7DC041FFD4488B7DA841FFD4488B5DB84889DF41FFD4488B7DB041FFD44889DF41FFD44C89F74883C4385B415C415D415E415F5D}
condition:
Macho and $a
}
rule InstallImitatorA
{
meta:
description = "OSX.InstallImitator.A"
condition:
Macho and filesize <= 800000 and
(
hash.sha1(0, filesize) == "f58722369a28920076220247a0c4e3360765f0ba" or
hash.sha1(0, filesize) == "3b7e269867c5e1223f502d39dc14de30b1efdda9" or
hash.sha1(0, filesize) == "734d7e37ec664a7607e62326549cb7d3088ed023" or
hash.sha1(0, filesize) == "ea45a2a22ca9a02c07bb4b2367e5d64ea7314731" or
hash.sha1(0, filesize) == "f9646dc74337ee23a8c159f196419c46518a8095" or
hash.sha1(0, filesize) == "cd9b8da9e01f3ebf0e13c526a372fa65495e3778" or
hash.sha1(0, filesize) == "16b59ab450a9c1adab266aefcf4e8f8cf405ac9c" or
hash.sha1(0, filesize) == "4c87de3aa5a9c79c7f477baa4a23fba0e62dc9d8" or
hash.sha1(0, filesize) == "4df5387fe72b8abe0e341012334b8993f399d366"
)
}
rule VSearchA
{
meta:
description = "OSX.VSearch.A"
condition:
Macho and filesize <= 2000000 and
(
hash.sha1(0, filesize) == "6c6acb179b232c0f1a6bb27699809320cc2c1529" or
hash.sha1(0, filesize) == "cebb19fee8fd72c0975ea9a19feea3b5ce555f94" or
hash.sha1(0, filesize) == "1503f1d7d275e976cd94cfd72929e0409e0cf76a" or
hash.sha1(0, filesize) == "c50adfa949a70b33d77050d7f0e2f86bccbc25cf" or
hash.sha1(0, filesize) == "40346b3946d7824d38f5ba71181f5c06805200af"
)
}
rule MachookA
{
meta:
description = "OSX.Machook.A"
condition:
Macho and filesize <= 40000 and
(
hash.sha1(0, filesize) == "e2b9578780ae318dbdb949aac32a7dde6c77d918" or
hash.sha1(0, filesize) == "bb8cbc2ab928d66fa1f17e02ff2634ad38a477d6"
)
}
rule MachookB
{
meta:
description = "OSX.Machook.B"
condition:
Macho and filesize <= 100000 and
(
hash.sha1(0, filesize) == "ae3e35f8ac6a2a09abdb17dbce3874b9fd9a7b7b"
)
}
rule IWormA
{
meta:
description = "OSX.iWorm.A"
xprotect_rule = true
condition:
Macho and filesize <= 200000 and
(
hash.sha1(0, filesize) == "c0800cd5095b28da4b6ca01468a279fb5be6921a"
)
}
rule IWormBC
{
meta:
description = "OSX.iWorm.B/C"
xprotect_rule = true
condition:
filesize <= 500 and hash.sha1(0, filesize) == "5e68569d32772a479dfa9e6a23b2f3ae74b2028f"
}
rule NetWeirdB
{
meta:
description = "OSX.NetWeird.ii"
xprotect_rule = true
condition:
Macho and filesize <= 200000 and
(
hash.sha1(0, filesize) == "ed119afc2cc662e983fed2517e44e321cf695eee" or
hash.sha1(0, filesize) == "b703e0191eabaa41e1188c6a098fed36964732e2"
)
}
rule NetWeirdA
{
meta:
description = "OSX.NetWeird.i"
xprotect_rule = true
condition:
Macho and filesize <= 200000 and
(
hash.sha1(0, filesize) == "6f745ef4f9f521984d8738300148e83f50d01a9d" or
hash.sha1(0, filesize) == "56abae0864220fc56ede6a121fde676b5c22e2e9"
)
}
rule GetShellA
{
meta:
description = "OSX.GetShell.A"
xprotect_rule = true
condition:
Macho and filesize <= 21000 and
(
hash.sha1(0, filesize) == "112d4e785e363abfec51155a5536c072a0da4986"
)
}
rule LaoShuA
{
meta:
description = "OSX.LaoShu.A"
xprotect_rule = true
condition:
Macho and filesize <= 50000 and
(
hash.sha1(0, filesize) == "2e243393a4e997d53d3d80516571a64f10313116"
)
}
rule AbkA
{
meta:
description = "OSX.Abk.A"
xprotect_rule = true
condition:
Macho and filesize <= 250000 and
(
hash.sha1(0, filesize) == "3edb177abc8934fdc7d537f5115bb4fb6ab41c3f"
)
}
rule CoinThiefA
{
meta:
description = "OSX.CoinThief.A"
xprotect_rule = true
condition:
filesize <= 350000 and (
hash.sha1(0, filesize) == "37c4bc94f2c08e90a47825fe7b2afbce908b5d74"
)
}
rule CoinThiefB
{
meta:
description = "OSX.CoinThief.B"
xprotect_rule = true
condition:
filesize <= 3000000 and (
hash.sha1(0, filesize) == "c2b81f705670c837c0bf5a2ddd1e398e967c0a08" or
hash.sha1(0, filesize) == "02e243157dbc8803a364e9410a5c41b36de64c95"
)
}
rule CoinThiefC
{
meta:
description = "OSX.CoinThief.C"
xprotect_rule = true
condition:
Macho and filesize <= 29000 and
(
hash.sha1(0, filesize) == "d4d1480a623378202517cf86efc4ec27f3232f0d"
)
}
rule RSPlugA
{
meta:
description = "OSX.RSPlug.A"
xprotect_rule = true
strings:
$a1 = {4D6F7A696C6C61706C75672E706C7567696E00}
$a2 = {5665726966696564446F776E6C6F6164506C7567696E00}
$a3 = {5665726966696564446F776E6C6F6164506C7567696E2E7273726300}
$b1 = {3C6B65793E4946506B67466C616744656661756C744C6F636174696F6E3C2F6B65793E}
$b2 = {3C737472696E673E2F4C6962726172792F496E7465726E657420506C75672D496E732F3C2F737472696E673E}
condition:
all of ($a*) or all of ($b*)
}
rule IServiceA
{
meta:
description = "OSX.Iservice.A/B"
xprotect_rule = true
strings:
$a = {27666F72272073746570206D7573742062652061206E756D6265720025733A25753A206661696C656420617373657274696F6E20602573270A0000002F55736572732F6A61736F6E2F64696172726865612F6165732F6165735F6D6F6465732E63000000625F706F73203D3D2030000062616E0036392E39322E3137372E3134363A3539323031007177666F6A7A6C6B2E66726565686F737469612E636F6D3A31303234000000007374617274757000666600002C000000726F6F74000000002F62696E2F7368}
condition:
Macho and $a
}
rule HellRTS
{
meta:
description = "OSX.HellRTS.A"
xprotect_rule = true
strings:
$a1 = {656C6C5261697365722053657276657200165F44454255475F4C4F475F505249564154452E747874}
$a2 = {5374617274536572766572203E20212053455256455220524553544152544544}
$a3 = {2F7573722F62696E2F64656661756C7473207772697465206C6F67696E77696E646F77204175746F4C61756E636865644170706C69636174696F6E44696374696F6E617279202D61727261792D61646420273C646963743E3C6B65793E486964653C2F6B65793E3C00192F3E3C6B65793E506174683C2F6B65793E3C737472696E673E00113C2F737472696E673E3C2F646963743E27}
$a4 = {48656C6C52616973657220536572766572}
condition:
filesize <= 100000 and
hash.sha1(0, filesize) == "a8afa8e646bd6a02cfaa844735b94c50820bb9f5" or
hash.sha1(0, filesize) == "0ba58f54b44b2ee8a1f149e1a686deeedebb79ba" or
all of ($a*)
}
rule OpinionSpyA
{
meta:
description = "OSX.OpinionSpy"
xprotect_rule = true
strings:
$a = {504B010214000A0000000800547D8B3B9B0231BC [4] 502D0700250000000000 [12] 636F6D2F697A666F7267652F697A7061636B2F70616E656C732F706F696E7374616C6C6572}
condition:
$a
}
rule MacDefenderA
{
meta:
description = "OSX.MacDefender.A"
xprotect_rule = true
strings:
$a1 = {3C6B65793E434642756E646C654964656E7469666965723C2F6B65793E}
$a2 = {3C737472696E673E636F6D2E41564D616B6572732E}
$a3 = {2E706B673C2F737472696E673E}
$b1 = {436F6E74726F6C43656E746572442E6E6962}
$b2 = {5669727573466F756E642E706E67}
$b3 = {57616C6C65742E706E67}
$b4 = {61666669642E747874}
condition:
all of ($a*) or all of ($b*)
}
rule MacDefenderB
{
meta:
description = "OSX.MacDefender.B"
xprotect_rule = true
strings:
$a = {436F6E74656E7473 [0-64] 496E666F2E706C697374 [0-64] 4D61634F53 [0-256] 5265736F7572636573 [0-128] 0000 (0AF101134A4495 | 0B20012B644D93 | 0B1F01B1239428 | 0B1F0158C4CC11) 000000000000000000000008446F776E6C6F6164506963742E706E6700000000}
condition:
filesize <= 1000000 and
($a or
hash.sha1(0, filesize) == "03fce25a7823e63139752506668eededae4d33b7" or
hash.sha1(0, filesize) == "0dceacd1eb6d25159bbf9408bfa0b75dd0eac181" or
hash.sha1(0, filesize) == "1191ed22b3f3a7578e0cedf8993f6d647a7302b1" or
hash.sha1(0, filesize) == "5fd47e23be3a2a2de526398c53bc27ebc4794e61" or
hash.sha1(0, filesize) == "6b1b5d799bbc766f564c838c965baf2ca31502df" or
hash.sha1(0, filesize) == "7eb5702f706e370ced910dd30f73fef3e725c2bb" or
hash.sha1(0, filesize) == "7815c43edd431d6f0a96da8e166347f36ee9f932" or
hash.sha1(0, filesize) == "a172738a91bada5967101e9d3d7ef2f7c058b75b" or
hash.sha1(0, filesize) == "b350021f80ff6dacd31a53d8446d21e333e68790" or
hash.sha1(0, filesize) == "eb876a4fd893fd54da1057d854f5043f6c144b67" or
hash.sha1(0, filesize) == "3596070edc0badcf9e29f4b1172f00cebb863396" or
hash.sha1(0, filesize) == "8cfce1b81e03242c36de4ad450f199f6f4d76841"
)
}
rule QHostWBA
{
meta:
description = "OSX.QHostWB.A"
xprotect_rule = true
strings:
$a = {3C6B65793E434642756E646C654964656E7469666965723C2F6B65793E0A093C737472696E673E636F6D2E466C617368506C617965722E666C617368706C617965722E706B673C2F737472696E673E [0-400] 3C6B65793E4946506B67466C6167417574686F72697A6174696F6E416374696F6E3C2F6B65793E0A093C737472696E673E526F6F74417574686F72697A6174696F6E3C2F737472696E673E}
condition:
filesize <= 15000 and ($a or hash.sha1(0, filesize) == "968430f1500fc475b6507f3c1d575714c785801a"
)
}
rule RevirA
{
meta:
description = "OSX.Revir.A"
xprotect_rule = true
condition:
Macho and filesize <= 300000 and
(
hash.sha1(0, filesize) == "60b0ef03b65d08e4ea753c63a93d26467e9b953e"
)
}
rule RevirB
{
meta:
description = "OSX.Revir.ii"
xprotect_rule = true
condition:
Macho and filesize <= 50000 and (
hash.sha1(0, filesize) == "20196eaac0bf60ca1184a517b88b564bf80d64b2"
)
}
rule FlashbackA
{
meta:
description = "OSX.Flashback.A"
xprotect_rule = true
condition:
filesize <= 200000 and (
hash.sha1(0, filesize) == "4cca20ffe6413a34176daab9b073bcd7f78a02b9" or
hash.sha1(0, filesize) == "2b69d70a55e6effcabe5317334c09c83e8d615eb" or
hash.sha1(0, filesize) == "bd5e541ee0aeba084f10b1149459db7898677e40" or
hash.sha1(0, filesize) == "033de56ba7d4e5198838530c75c7570cd5996da8" or
hash.sha1(0, filesize) == "a99f651cdcef3766572576c5dab58ba48c0819c0" or
hash.sha1(0, filesize) == "6da26fd20abb4815c56f638924dc82cf6ca65caf" or
hash.sha1(0, filesize) == "ffdcd8fb4697d4c88513b99cc748e73cf50f9186" or
hash.sha1(0, filesize) == "026107095b367d7c1249ef7ad356ecd613ebe814" or
hash.sha1(0, filesize) == "02a35e2ef3ccdf50d0755b27b42c21e8ce857d09"
)
}
rule FlashbackB
{
meta:
description = "OSX.Flashback.B"
xprotect_rule = true
condition:
filesize <= 200000 and (
hash.sha1(0, filesize) == "fd7810b4458a583cca9c610bdf5a4181baeb2233" or
hash.sha1(0, filesize) == "7004aec6b8193b8c3e8032d720dc121b23b921b7" or
hash.sha1(0, filesize) == "b87a94ddd93fc036215056fbbed92380eefcadc2" or
hash.sha1(0, filesize) == "3f40c8d93bc7d32d3c48eedacc0cd411cf273dba"
) or
filesize <= 300000 and (
hash.sha1(0, filesize) == "e266dd856008863704dd9af7608a58137d8936ba" or
hash.sha1(0, filesize) == "7b6d5edf04a357d123f2da219f0c7c085ffa67fc" or
hash.sha1(0, filesize) == "284484b13022e809956bb20b6ba741bd2c0a7117"
)
}
rule FlashbackC
{
meta:
description = "OSX.Flashback.C"
xprotect_rule = true
condition:
filesize <= 300000 and (
hash.sha1(0, filesize) == "12f814ef8258caa2b84bf763af8333e738b5df76" or
hash.sha1(0, filesize) == "131db26684cfa17a675f5ff9a67a82ce2864ac95" or
hash.sha1(0, filesize) == "140fba4cafa2a3dff128c5cceeb12ce3e846fa2b" or
hash.sha1(0, filesize) == "585e1e8aa48680ba2c4c159c6a422f05a5ca1e5c" or
hash.sha1(0, filesize) == "392b6b110cec1960046061d37ca0368d1c769c65" or
hash.sha1(0, filesize) == "b95a2a9a15a67c1f4dfce1f3ee8ef4429f86747c"
)
}
rule DevilRobberA
{
meta:
description = "OSX.DevilRobber.A"
xprotect_rule = true
strings:
$a1 = {504C4953545F4E414D453D2224484F4D452F4C6962726172792F4C61756E63684167656E74732F636F6D2E6170706C652E6C6567696F6E2E706C69737422}
$a2 = {63686D6F64202B78202224484F4D452F244D41494E5F4449522F24455845435F4E414D4522}
$a3 = {636F6D2E6170706C652E6C6567696F6E}
$b = {3C6B65793E434642756E646C6545786563757461626C653C2F6B65793E [0-20] 3C737472696E673E707265666C696768743C2F737472696E673E}
condition:
(Macho and all of ($a*)) or $b
}
rule DevilRobberB
{
meta:
description = "OSX.DevilRobber.B"
xprotect_rule = true
strings:
$a1 = {455845435F4E414D453D}
$a2 = {53485F4E414D453D}
$a3 = {415243484956455F4E414D453D}
$a4 = {504C4953545F4E414D453D2224484F4D452F4C6962726172792F4C61756E63684167656E74732F636F6D2E6170706C652E6D6F707065722E706C697374220A}
$a5 = {63686D6F64202B78202224484F4D452F244D41494E5F4449522F24455845435F4E414D4522}
$a6 = {63686D6F64202B78202224484F4D452F244D41494E5F4449522F645F73746172742E736822}
$a7 = {3C737472696E673E636F6D2E6170706C652E6D6F707065723C2F737472696E673E}
condition:
all of ($a*)
}
rule FileStealB
{
meta:
description = "OSX.FileSteal.ii"
xprotect_rule = true
condition:
Macho and filesize <= 115000 and
(
hash.sha1(0, filesize) == "1eedde872cc14492b2e6570229c0f9bc54b3f258"
)
}
rule FileStealA
{
meta:
description = "OSX.FileSteal.i"
xprotect_rule = true
strings:
$a1 = {46696C654261636B757041707044656C6567617465}
$a2 = {5461736B57726170706572}
$a3 = {2F7573722F62696E2F6375726C}
$a4 = {5A697055706C6F6164}
condition:
Macho and all of ($a*)
}
rule MDropperA
{
meta:
description = "OSX.Mdropper.i"
xprotect_rule = true
strings:
$a1 = {2F746D702F6C61756E63682D6873002F746D702F6C61756E63682D687365002F746D702F}
$a2 = {0023212F62696E2F73680A2F746D702F6C61756E63682D68736520260A6F70656E202F746D702F66696C652E646F6320260A0A}
$a3 = {00005F5F504147455A45524F00}
$a4 = {005F5F6D685F657865637574655F686561646572}
condition:
all of ($a*)
}
rule FkCodecA
{
meta:
description = "OSX.FkCodec.i"
xprotect_rule = true
strings:
$a = {3C6B65793E6E616D653C2F6B65793E0A093C646963743E0A09093C6B65793E656E3C2F6B65793E0A09093C737472696E673E436F6465632D4D3C2F737472696E673E0A093C2F646963743E0A093C6B65793E76657273696F6E3C2F6B65793E}
condition:
$a
}
rule MaControlA
{
meta:
description = "OSX.MaControl.i"
xprotect_rule = true
condition:
Macho and filesize <= 110000 and (
hash.sha1(0, filesize) == "8a86ff808d090d400201a1f94d8f706a9da116ca"
)
}
rule RevirC
{
meta:
description = "OSX.Revir.iii"
xprotect_rule = true
condition:
Macho and filesize <= 25000 and
(
hash.sha1(0, filesize) == "265dafd0978c0b3254b1ac27dbedb59593722d2d"
)
}
rule RevirD
{
meta:
description = "OSX.Revir.iv"
xprotect_rule = true
condition:
Macho and filesize <= 40000 and
(
hash.sha1(0, filesize) == "782312db766a42337af30093a2fd358eeed97f53"
)
}
rule SMSSendA
{
meta:
description = "OSX.SMSSend.i"
xprotect_rule = true
condition:
Macho and filesize <= 15000000 and
(
hash.sha1(0, filesize) == "6c2b47384229eba6f398c74a0ba1516b3a674723"
)
}
rule SMSSendB
{
meta:
description = "OSX.SMSSend.ii"
xprotect_rule = true
condition:
Macho and filesize <= 15000000 and (
hash.sha1(0, filesize) == "a07d8497519404728f431aeec1cd35d37efc1cbb"
)
}
rule EICAR
{
meta:
description = "OSX.eicar.com.i"
xprotect_rule = true
condition:
filesize <= 100000000 and hash.sha1(0, filesize) == "3395856ce81f2b7382dee72602f798b642f14140"
}
rule AdPluginA
{
meta:
description = "OSX.AdPlugin.i"
xprotect_rule = true
condition:
filesize <= 500000 and hash.sha1(0, filesize) == "f63805148d85d8b757a50580bba11e02c192a2b8"
}
rule AdPluginB
{
meta:
description = "OSX.AdPlugin2.i"
xprotect_rule = true
condition:
filesize <= 40000 and hash.sha1(0, filesize) == "fe59a309e5689374dba50bc7349d62148f1ab9aa"
}
rule LeverageA
{
meta:
description = "OSX.Leverage.a"
xprotect_rule = true
condition:
Macho and filesize <= 2500000 and
(
hash.sha1(0, filesize) == "41448afcb7b857866a5f6e77d3ef3a393598f91e"
)
}
rule PrxlA
{
meta:
description = "OSX.Prxl.2"
xprotect_rule = true
condition:
Macho and filesize <= 24000 and
(
hash.sha1(0, filesize) == "edff0cd0111ee1e3a85dbd0961485be1499bdb66" or
hash.sha1(0, filesize) == "429ed6bced9bb18b95e7a5b5de9a7b023a2a7d2c" or
hash.sha1(0, filesize) == "f1a32e53439d3adc967a3b47f9071de6c10fce4e"
)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment