Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- rule shlayer_bash_embedded_app
- {
- meta:
- description = "Detects Shlayer bash script with embedded Mac app"
- author = "Daniel Gallagher"
- date = "2020-06-18"
- hash1 = "86561207a7ebeb29771666bdc6469d81f9fc9f57eedda4f813ca3047b8162cfb"
- hash2 = "2c2c611965f7b9c8e3524a77da9b2ebedf1b7705e6276140cffe2c848bff9113"
- strings:
- // tail +$((LINENO+4)) $0
- $x1 = {74 61 69 6c 20 2b 24 28 28 4c 49 4e 45 4e 4f 2b 34 29 29 20 24 30}
- condition:
- 1 of ($x*)
- }
- rule shlayer_bash_script
- {
- meta:
- description = "Detects Shlayer bash install script"
- author = "Daniel Gallagher"
- date = "2020-05-27"
- hash1 = "82e4cdbe361c126f35c45a1e44f942022d360c80674d149efbc8112e0e3f3220"
- hash2 = "bb63b8513907cc7a39421b09a059dc3c131cfba75c46c537a4e002b131401580"
- strings:
- // eval "$(openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:
- $x1 = {65 76 61 6c 20 22 24 28 6f 70 65 6e 73 73 6c 20 65 6e 63 20 2d 62 61 73 65 36 34 20 2d 64 20 2d 61 65 73 2d 32 35 36 2d 63 62 63 20 2d 6e 6f 73 61 6c 74 20 2d 70 61 73 73 20 70 61 73 73 3a}
- condition:
- 1 of ($x*)
- }
- rule shlayer_python_script
- {
- meta:
- description = "Detects Shlayer python install script"
- author = "Daniel Gallagher"
- date = "2020-05-28"
- hash1 = "6f5d3e4adb0933c402878f2a93a5c3352bb2a77a210a887c266ae79ae66a6f42"
- hash2 = "b139b02dae8b3a038e5128279f4980958b2e73eca6d92ff908d4efe41ffe46f8"
- strings:
- $s1 = "u=%(machineID)s" ascii nocase
- $s2 = "s=%(uuid)s" ascii nocase
- $s3 = "o=%(osVersion)s" ascii nocase
- $s4 = "fileUrl = edt.encryptText(url, key)" ascii nocase
- // commands = ["curl", "-f0L", "-o"]
- $x1 = {63 6f 6d 6d 61 6e 64 73 20 3d 20 5b 22 63 75 72 6c 22 2c 20 22 2d 66 30 4c 22 2c 20 22 2d 6f 22 5d}
- condition:
- all of ($s*)
- or 1 of ($x*)
- }
- rule shlayer_c2_domain
- {
- meta:
- description = "Detects existence of known Shlayer C2 domain"
- author = "Daniel Gallagher"
- date = "2020-06-09"
- hash1 = "6f5d3e4adb0933c402878f2a93a5c3352bb2a77a210a887c266ae79ae66a6f42"
- hash2 = "ac6b301b46b795dc5573d6fbdfa6e1906845d03a019566c1a9f0b1c488ef12df"
- strings:
- $x1 = "api.frequencymode.com" wide ascii nocase
- $x2 = "api.operativeupgrade.com" wide ascii nocase
- $x3 = "api.defaultrotator.com" wide ascii nocase
- $x4 = "api.resultsformat.com" wide ascii nocase
- $x5 = "api.launchlookup.com" wide ascii nocase
- $x6 = "api.entrycache.com" wide ascii nocase
- $x7 = "api.typicalarchive.com" wide ascii nocase
- $x8 = "api.macsmoments.com" wide ascii nocase
- condition:
- 1 of ($x*)
- }
Add Comment
Please, Sign In to add comment