yara/rules/Linux_Trojan_Xorddos.yar (453 lines of code) (raw):
rule Linux_Trojan_Xorddos_2aef46a6 {
meta:
author = "Elastic Security"
id = "2aef46a6-6daf-4f02-b1b4-e512cea12e53"
fingerprint = "e583729c686b80e5da8e828a846cbd5218a4d787eff1fb2ce84a775ad67a1c4d"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Trojan.Xorddos"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 25 64 2D 2D 25 73 5F 25 64 3A 25 73 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_a6572d63 {
meta:
author = "Elastic Security"
id = "a6572d63-f9f3-4dfb-87e6-3b0bafd68a79"
fingerprint = "fd32a773785f847cdd59d41786a8d8a7ba800a71d40d804aca51286d9bb1e1f0"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "2ff33adb421a166895c3816d506a63dff4e1e8fa91f2ac8fb763dc6e8df59d6e"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { C8 0F B6 46 04 0F B6 56 05 C1 E0 08 09 D0 89 45 CC 0F B6 46 06 0F B6 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_e41143e1 {
meta:
author = "Elastic Security"
id = "e41143e1-52d9-45c7-b19f-a5475b18a510"
fingerprint = "f621a2e8c289772990093762f371bb6d5736085695881e728a0d2c013c2ad1d4"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Trojan.Xorddos"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 73 1E 80 3C 06 00 8D 14 30 8D 4C 37 FF 74 0D EB 36 0F B6 42 01 83 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_0eb147ca {
meta:
author = "Elastic Security"
id = "0eb147ca-ec6d-4a6d-b807-4de8c1eff875"
fingerprint = "6a1667f585a7bee05d5aece397a22e376562d2b264d3f287874e5a1843e67955"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "45f25d2ffa2fc2566ed0eab6bdaf6989006315bbbbc591288be39b65abf2410b"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 83 45 F0 01 8B 45 F0 89 45 E8 8B 45 E8 83 C4 18 5F 5D C3 55 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_ba961ed2 {
meta:
author = "Elastic Security"
id = "ba961ed2-b410-4da5-8452-a03cf5f59808"
fingerprint = "fff4804164fb9ff1f667d619b6078b00a782b81716e217ad2c11df80cb8677aa"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "45f25d2ffa2fc2566ed0eab6bdaf6989006315bbbbc591288be39b65abf2410b"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { F8 C9 C3 55 89 E5 83 EC 38 C7 45 F8 FF FF FF FF C7 45 FC FF FF }
condition:
all of them
}
rule Linux_Trojan_Xorddos_2084099a {
meta:
author = "Elastic Security"
id = "2084099a-1df6-4481-9d13-3a5bd6a53817"
fingerprint = "dfb813a5713f0e7bdb5afd500f1e84c6f042c8b1a1d27dd6511dca7f2107c13b"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Trojan.Xorddos"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 8B 45 FC 8B 50 18 8B 45 08 89 50 18 8B 45 FC 8B 40 08 85 C0 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_61c88137 {
meta:
author = "Elastic Security"
id = "61c88137-02f6-4339-b8fc-04c72a5023aa"
fingerprint = "c09b31424a54e485fe5f89b4ab0a008df6e563a75191f19de12113890a4faa39"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "479ef38fa00bb13a3aa8448aa4a4434613c6729975e193eec29fc5047f339111"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 24 8B C1 8B 0C 24 8D 64 24 FC 89 0C 24 8B 4D E8 87 0C 24 96 8D 64 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_debb98a1 {
meta:
author = "Elastic Security"
id = "debb98a1-c861-4458-8bff-fae4f00a17dc"
fingerprint = "2c5688a82f7d39b0fceaf4458856549b1bce695a160a864f41b12b42e86e3745"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "494f549e3dd144e8bcb230dd7b3faa8ff5107d86d9548b21b619a0318e362cad"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { F4 87 5D F4 5B 9C 51 8B 4C 24 04 8D 49 2A 87 4C 24 04 89 4C }
condition:
all of them
}
rule Linux_Trojan_Xorddos_1d6e10fd {
meta:
author = "Elastic Security"
id = "1d6e10fd-7404-4597-a97d-cc92849d84f4"
fingerprint = "bf9d971a13983f1d0fdc8277e76cd1929523e239ce961316fe1f44cbdf0638a8"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "4c7851316f01ae84ee64165be3ba910ab9b415d7f0e2f5b7e5c5a0eaefa3c287"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 24 04 9C 83 C5 7B 9D 8D 6D 85 87 54 24 00 9C 83 C5 26 9D 8D }
condition:
all of them
}
rule Linux_Trojan_Xorddos_e3ffbbcc {
meta:
author = "Elastic Security"
id = "e3ffbbcc-7751-4d96-abec-22dd9618cab1"
fingerprint = "d5d5117a31da1a0ac3ef4043092eed47e2844938da9d03e2b68a66658e300175"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "28b7ddf2548411910af033b41982cdc74efd8a6ef059a54fda1b6cbd59faa8f6"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { FF 10 52 FB FF D0 52 FB FF 00 52 FB FF D0 52 FB FF F0 51 FB }
condition:
all of them
}
rule Linux_Trojan_Xorddos_30f3b4d4 {
meta:
author = "Elastic Security"
id = "30f3b4d4-e634-418e-a9d5-7f12ef22f9ac"
fingerprint = "de1002eb8e9aae984ee5fe2a6c1f91845dab4861e09e01d644248cff8c590e5b"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "5b15d43d3535965ec9b84334cf9def0e8c3d064ffc022f6890320cd6045175bc"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 24 70 9C 83 C5 17 9D 8D 6D E9 0F 10 74 24 60 8B F6 0F 10 6C }
condition:
all of them
}
rule Linux_Trojan_Xorddos_ca75589c {
meta:
author = "Elastic Security"
id = "ca75589c-6354-411b-b0a5-8400e657f956"
fingerprint = "0bcaeae9ec0f5de241a05c77aadb5c3f2e39c84d03236971a0640ebae528a496"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "0448c1b2c7c738404ba11ff4b38cdc8f865ccf1e202f6711345da53ce46e7e16"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 6D E0 25 01 00 00 00 55 8B EC C9 87 D1 87 0C 24 87 D1 8D 64 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_7909cdd2 {
meta:
author = "Elastic Security"
id = "7909cdd2-8a49-4f51-ae16-1ffe321a29d4"
fingerprint = "5c982596276c8587a88bd910bb2e75a7f72ea7a57c401ffa387aced33f9ac2b9"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "0a4a5874f43adbe71da88dc0ef124f1bf2f4e70d0b1b5461b2788587445f79d9"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { A5 07 00 EC C5 19 08 EC C5 19 08 18 06 00 00 18 06 00 00 06 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_2522d611 {
meta:
author = "Elastic Security"
id = "2522d611-4ce3-4583-87d6-e5631b62d562"
fingerprint = "985885a6b5f01e8816027f92148d2496a5535f3c15de151f05f69ec273291506"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "0c2be53e298c285db8b028f563e97bf1cdced0c4564a34e740289b340db2aac1"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 24 04 57 8B 7C 24 02 5F 87 44 24 00 50 8B 44 24 04 8D 40 42 87 44 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_56bd04d3 {
meta:
author = "Elastic Security"
id = "56bd04d3-6b52-43f4-b170-637feb86397a"
fingerprint = "25cd85e8e65362a993a314f2fc500266fce2f343d21a2e91b146dafbbe8186db"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "0d2ce3891851808fb36779a348a83bf4aa9de1a2b2684fd0692434682afac5ec"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 5C 87 5C 24 04 89 5C 24 04 8B 1C 24 8D 64 24 04 8B 00 8B F6 87 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_f412e4b4 {
meta:
author = "Elastic Security"
id = "f412e4b4-adec-4011-b4b5-f5bb77b65d84"
fingerprint = "deb9f80d032c4b3c591935c474523fd6912d7bd2c4f498ec772991504720e683"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "0e3a3f7973f747fcb23c72289116659c7f158c604d937d6ca7302fbab71851e9"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 24 04 C1 E2 05 8B C0 03 C2 9C 83 C5 0F 9D 8D 6D F1 05 0C 00 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_71f8e26c {
meta:
author = "Elastic Security"
id = "71f8e26c-d0ff-49e8-9c20-8df9149e8843"
fingerprint = "dbd1275bd01fb08342e60cb0c20adaf42971ed6ee0f679fedec9bc6967ecc015"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "13f873f83b84a0d38eb3437102f174f24a0ad3c5a53b83f0ee51c62c29fb1465"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 24 8D 64 24 04 1B 07 87 DA 8B 5D F4 52 87 DA 5B 83 C2 03 52 8B 54 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_1a562d3b {
meta:
author = "Elastic Security"
id = "1a562d3b-bc59-4cb7-9ac1-7a4a79232869"
fingerprint = "e052e99f15f5a0f704c04cae412cf4b1f01a8ee6e4ce880aedc79cf5aee9631a"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "15731db615b32c49c34f41fe84944eeaf2fc79dafaaa9ad6bf1b07d26482f055"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { F0 87 1C 24 91 8D 64 24 FC 89 0C 24 8B C8 8B 04 24 87 D1 8D 64 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_410256ac {
meta:
author = "Elastic Security"
id = "410256ac-fc7d-47f1-b7b8-82f1ee9f2bfb"
fingerprint = "aa7f1d915e55c3ef178565ed12668ddd71bf3e982dba1f2436c98cceef2c376d"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "15f44e10ece90dec1a6104d5be1effefa17614d9f0cfb2784305dab85367b741"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 24 04 87 CA 8B 4D 0C 52 87 CA 59 03 D1 55 8B EC C9 6A 08 F7 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_93fa87f1 {
meta:
author = "Elastic Security"
id = "93fa87f1-ec9d-4b3b-9c9a-a0b80963f41f"
fingerprint = "3b53e54dfea89258a116dcdf4dde0b6ad583aff08d626c02a6f1bf0c76164ac7"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "165b4a28fd6335d4e4dfefb6c40f41f16d8c7d9ab0941ccd23e36cda931f715e"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 03 87 44 24 04 89 44 24 04 8B 04 24 8D 64 24 04 8B 00 9C 83 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_8677dca3 {
meta:
author = "Elastic Security"
id = "8677dca3-e36b-439f-bc55-76d951114020"
fingerprint = "4d276b225f412b3879db19546c09d1dea2ee417c61ab6942c411bc392fee8e26"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "23813dc4aa56683e1426e5823adc3aab854469c9c0f3ec1a3fad40fa906929f2"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { F2 5E 83 C2 03 8B FF C1 E2 05 9C 83 C5 69 9D 8D 6D 97 03 C2 56 8B 74 }
condition:
all of them
}
rule Linux_Trojan_Xorddos_ebce4304 {
meta:
author = "Elastic Security"
id = "ebce4304-0a06-454f-ad08-98b323e5b23a"
fingerprint = "20f0346bf021e3d2a0e25bbb3ed5b9c0a45798d0d5b2516b679f7bf17d1b040d"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "2e06caf864595f2df7f6936bb1ccaa1e0cae325aee8659ee283b2857e6ef1e5b"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 24 8D 64 24 04 87 54 24 00 56 8B 74 24 04 5E 9D 9C 83 C5 1E 9D 8D }
condition:
all of them
}
rule Linux_Trojan_Xorddos_073e6161 {
meta:
author = "Elastic Security"
id = "073e6161-35a3-4e5e-a310-8cc50cb28edf"
fingerprint = "12d04597fd60ed143a1b256889eefee1f5a8c77f4f300e72743e3cfa98ba8e99"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "2e06caf864595f2df7f6936bb1ccaa1e0cae325aee8659ee283b2857e6ef1e5b"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { F9 83 F8 1F 77 33 80 BC 35 B9 FF FF FF 63 76 29 8B 44 24 14 40 8D }
condition:
all of them
}
rule Linux_Trojan_Xorddos_bef22375 {
meta:
author = "Elastic Security"
id = "bef22375-0a71-4f5b-bfd1-e2e718b5c36f"
fingerprint = "0128e8725a0949dd23c23addc1158d28c334cfb040aad2b8f8d58f39720c41ef"
creation_date = "2022-09-12"
last_modified = "2022-10-18"
threat_name = "Linux.Trojan.Xorddos"
reference_sample = "f47baf48deb71910716beab9da1b1e24dc6de9575963e238735b6bcedfe73122"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { C5 35 9D 8D 6D CB 8B 12 9C 83 C5 17 9D 8D 6D E9 6A 04 F7 14 24 FF }
condition:
all of them
}