yara/rules/Linux_Exploit_Lotoor.yar (304 lines of code) (raw):
rule Linux_Exploit_Lotoor_03c81bd9 {
meta:
author = "Elastic Security"
id = "03c81bd9-c7d1-4044-9cce-951637b2b523"
fingerprint = "329dc1e21088c87095ee030c597a3340f838c338403ae64aec574e0086281461"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "3fc701a2caab0297112501f55eaeb05264c5e4099c411dcadc7095627e19837a"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 65 00 65 78 70 5F 73 74 61 74 65 00 6D 65 6D 73 65 74 00 70 }
condition:
all of them
}
rule Linux_Exploit_Lotoor_757637d9 {
meta:
author = "Elastic Security"
id = "757637d9-6171-4e2a-bf7c-3ee2c71066a7"
fingerprint = "7fa3e2432ddd696b5d40aafbde1e026e74294d31c9201800ce66b343a3724c6e"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "0762fa4e0d74e3c21b2afc8e4c28e2292d1c3de3683c46b5b77f0f9fe1faeec7"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 64 00 73 70 72 69 6E 74 66 00 6F 70 65 6E 00 69 73 5F 6F 6C }
condition:
all of them
}
rule Linux_Exploit_Lotoor_78543893 {
meta:
author = "Elastic Security"
id = "78543893-7180-4857-8951-4190ca4602f1"
fingerprint = "b581e0820d7895021841d67e4e9dc40cec8f5ae5ba4dbc0585abcb76f97c9a2f"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "ff5b02d2b4dfa9c3d53e7218533f3c57e82315be8f62aa17e26eda55a3b53479"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 00 48 8B 48 08 48 8B 54 24 F0 48 63 C6 48 89 8C C2 88 00 00 00 83 44 24 }
condition:
all of them
}
rule Linux_Exploit_Lotoor_4f8d83d2 {
meta:
author = "Elastic Security"
id = "4f8d83d2-4f7b-4a55-9d08-f7bc84263302"
fingerprint = "1a4e2746eb1da2a841c08ea44c6d0476c02dae5b4fbbe17926433bdb8c4e6df5"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "d78128eca706557eeab8a454cf875362a097459347ddc32118f71bd6c73d5bbd"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 00 75 6E 61 6D 65 00 73 74 64 6F 75 74 00 66 77 72 69 74 65 00 }
condition:
all of them
}
rule Linux_Exploit_Lotoor_f4afd230 {
meta:
author = "Elastic Security"
id = "f4afd230-6c9f-49e8-8f13-429635b38eb5"
fingerprint = "1709244fdc1e2d9d7fba01743b0cf87de7b940d2b25a0016e021b7e9696525bc"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "805e900ffc9edb9f550dcbc938a3b06d28e9e7d3fb604ff68a311a0accbcd2b1"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 83 20 FF FF FF 85 C0 74 25 8B 83 F8 FF FF FF 85 C0 74 1B 83 }
condition:
all of them
}
rule Linux_Exploit_Lotoor_bb384bc9 {
meta:
author = "Elastic Security"
id = "bb384bc9-fcda-4ad4-82ad-b95de750d31c"
fingerprint = "6878670c1fa154f5c4a845a824c63d0a900359b6e122b3fa759077c6a7e33e4c"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "ecc6635117b99419255af5d292a7af3887b06d5f3b0f59d158281eebfe606445"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { C2 75 64 4C 8B 45 F0 49 83 C0 04 4C 8B 4D F0 49 83 C1 08 48 8B }
condition:
all of them
}
rule Linux_Exploit_Lotoor_b293f6ec {
meta:
author = "Elastic Security"
id = "b293f6ec-0342-4727-b2a1-bd60be11ef74"
fingerprint = "42c95bdd82e398bceeb985cff50f4613596b71024c052487f5b337bb35489594"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "d1fa8520d3c3811d29c3d5702e7e0e7296b3faef0553835c495223a2bc015214"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { B8 89 45 A8 8B 45 A8 83 C0 64 89 45 B4 EB 2A 8B 45 A8 48 98 48 C1 }
condition:
all of them
}
rule Linux_Exploit_Lotoor_c5983669 {
meta:
author = "Elastic Security"
id = "c5983669-67d6-4a9e-945f-aae383211872"
fingerprint = "1d74ddacc623a433f84b1ab6e74bcfc0e69afb29f40a8b2d660d96a88610c3b2"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "d08be92a484991afae3567256b6cec60a53400e0e9b6f6b4d5c416a22ccca1cf"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 48 83 C0 58 48 89 44 24 20 48 8B 44 24 18 48 89 C7 BA 60 00 }
condition:
all of them
}
rule Linux_Exploit_Lotoor_fbff22da {
meta:
author = "Elastic Security"
id = "fbff22da-2f31-416c-8aa0-1003e3be8baa"
fingerprint = "b649b172fad3e3b085cbf250bd17dbea4c409a7337914c63230d188f9b8135fa"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "0762fa4e0d74e3c21b2afc8e4c28e2292d1c3de3683c46b5b77f0f9fe1faeec7"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 00 75 6E 61 6D 65 00 73 74 72 6C 65 6E 00 73 74 64 6F 75 74 00 }
condition:
all of them
}
rule Linux_Exploit_Lotoor_e2d5fad8 {
meta:
author = "Elastic Security"
id = "e2d5fad8-45b6-4d65-826d-b909230e2b69"
fingerprint = "ec64f2c3ca5ec2bfc2146159dab3258e389be5962bdddf4c6db5975cc730a231"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "7e54e57db3de32555c15e529c04b35f52d75af630e45b5f8d6c21149866b6929"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 8B 45 E4 8B 00 89 45 E8 8B 45 E8 8B 00 85 C0 75 08 8B 45 E8 89 }
condition:
all of them
}
rule Linux_Exploit_Lotoor_f2f8eb6b {
meta:
author = "Elastic Security"
id = "f2f8eb6b-1fc3-4fca-b58d-d71ad932e1a7"
fingerprint = "881e2cd5b644c2511306b3670320224810de369971278516f7562076226fa5b7"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "01721b9c024ca943f42c402a57f45bd4c77203a604c5c2cd26e5670df76a95b2"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 24 14 40 00 00 00 EB 38 8B 44 24 14 48 98 83 E0 3F 48 85 C0 }
condition:
all of them
}
rule Linux_Exploit_Lotoor_f8e9f93c {
meta:
author = "Elastic Security"
id = "f8e9f93c-78ad-4ca5-a210-e62072e6f8c8"
fingerprint = "bdf87b68d1101cd3fcbc505de0d2e9b2aed9535aaafa9f746f7a3c4fba03b464"
creation_date = "2021-04-06"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "50a6d546d4c45dc33c5ece3c09dbc850b469b9b8deeb7181a45ba84459cb24c9"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 61 ?? 3A 20 4C 69 6E 75 78 20 32 2E 36 2E 33 }
condition:
all of them
}
rule Linux_Exploit_Lotoor_89671b03 {
meta:
author = "Elastic Security"
id = "89671b03-5bd4-481b-9304-2655ea689c5f"
fingerprint = "e8b9631e5d4d8db559615504cc3f6fbd8a81bfbdb9e570113f20d006c44c8a9c"
creation_date = "2021-04-06"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "001098473574cfac1edaca9f1180ab2005569e094be63186c45b48c18f880cf8"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 62 65 6C 3A 20 4C 69 6E 75 78 20 3C 20 32 2E 36 }
condition:
all of them
}
rule Linux_Exploit_Lotoor_dbc73db0 {
meta:
author = "Elastic Security"
id = "dbc73db0-527c-436f-afdc-bc3750f10ea0"
fingerprint = "2f6ad833b84f00be1d385de686a979d3738147c38b4126506e56225080ee81ef"
creation_date = "2021-04-06"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "9fe78e4dd7975856a74d8dfd83e69793a769143e0fe6994cbc3ef28ea37d6cf8"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 63 75 73 3A 20 4C 69 6E 75 78 20 32 2E 36 2E 33 }
condition:
all of them
}
rule Linux_Exploit_Lotoor_ec339160 {
meta:
author = "Elastic Security"
id = "ec339160-5f25-495c-8e48-4683ad2fcca0"
fingerprint = "24a3630fd49860104c60c4f4d0ef03bd17c124383a0b5d027a06c7ca6cb9cbba"
creation_date = "2021-04-06"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "0002b469972f5c77a29e2a2719186059a3e96a6f4b1ef2d18a68fee3205ea0ba"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 69 75 6D 3A 20 4C 69 6E 75 78 20 32 2E 58 20 73 }
condition:
all of them
}
rule Linux_Exploit_Lotoor_7cd57e18 {
meta:
author = "Elastic Security"
id = "7cd57e18-2315-419b-b373-ea801181232c"
fingerprint = "a7d3183de1bccd816bcd2346e9754aaf6e7eb124d7416d79bdbe422b33035414"
creation_date = "2021-04-06"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.Lotoor"
reference_sample = "1eecf16dae302ae788d1bc81278139cd9f6af52d7bed48b8677b35ba5eb14e30"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 76 65 3A 20 4C 69 6E 75 78 20 32 2E 36 2E }
condition:
all of them
}