Skip to content

Instantly share code, notes, and snippets.

@cranberry3148

cranberry3148/XProtect.yara

Created July 18, 2023 15:51
Show Gist options
  • Save cranberry3148/cc27daa3eb3710f5f43764a5337d9dd5 to your computer and use it in GitHub Desktop.
Save cranberry3148/cc27daa3eb3710f5f43764a5337d9dd5 to your computer and use it in GitHub Desktop.
Download ZIP
Apple OSX built in file defense is powered by YARA: /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources
Raw
XProtect.yara
import "hash"
private rule Macho
{
meta:
description = "private rule to match Mach-O binaries"
condition:
uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
}
private rule PE
{
meta:
description = "private rule to match PE binaries"
condition:
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x4550
}
rule XProtect_MACOS_644e18d
{
meta:
description = "MACOS.644e18d"
strings:
$a = { 63 6f 6e 6e 65 63 74 54 6f 50 72 6f 78 79 4d 61 6e 61 67 65 72 }
$b = { 63 6f 6e 6e 65 63 74 54 6f 44 65 73 74 69 6e 61 74 69 6f 6e }
$c = { 68 65 61 72 74 62 65 61 74 53 65 6e 64 65 72 }
$d = { 63 6f 6e 6e 65 63 74 54 6f 43 6e 63 }
$e = { 70 72 6f 78 69 74 2e 63 6f 6d 2f 70 65 65 72 }
condition:
Macho and 2 of them
}
rule XProtect_MACOS_6e6bed7
{
meta:
description = "MACOS.6e6bed7"
strings:
$a = { 77 65 62 56 69 65 77 3a 64 65 63 69 64 65 50 6f 6c 69 63 79 46 6f 72 4e 61 76 69 67 61 74 69 6f 6e 41 63 74 69 6f 6e 3a 64 65 63 69 73 69 6f 6e 48 61 6e 64 6c 65 72 3a }
$b = { 4e 53 54 61 73 6b }
$c = { 5f 70 63 6c 6f 73 65 00 5f 70 6f 70 65 6e }
$d1 = { ( 19 | 17 ) 6d 1b ( d1 | 51 ) }
$d2 = { 44 8d b4 08 25 f9 ff ff }
$d3 = { 89 16 40 38 e9 03 29 2a }
$d4 = { 41 8a 14 0e f6 d2 88 14 08 }
$d5 = { 5a 07 00 91 88 03 13 4a }
condition:
Macho and $a and ( $b or $c ) and ( 1 of ( $d* ) ) and filesize < 500KB
}
rule XProtect_MACOS_cbb1424
{
meta:
description = "MACOS.cbb1424"
strings:
$a = {
48 63 85 ?? ?? ?? ??
8B 84 85 ?? ?? ?? ??
88 85 ?? ?? ?? ??
8A 85 ?? ?? ?? ??
48 63 8D ?? ?? ?? ??
88 84 0D ?? ?? ?? ??
8B 85 ?? ?? ?? ??
83 C0 01
89 85 ?? ?? ?? ??
}
$b = {
66 ( 41 0f | 0F ) ( 6F | 6f 44 ) ( 04 | 05 ) 0?
66 0F 38 00 C1
( 66 41 0F 7E 45 ?? | 66 0F 7e 03 )
( 48 | 49 ) 83 C? 10
( 48 | 49 ) 83 C? 04
( 4? 81 F? | 48 3D ??) [3-4]
75 ??
}
condition:
Macho and any of them
}
rule XProtect_MACOS_1afcb8b
{
meta:
description = "MACOS.1afcb8b"
strings:
$a = { 77 65 62 76 69 65 77 2e 4e 65 77 }
$b = { 65 6e 63 6f 64 69 6e 67 2f 62 61 73 65 36 34 2e 28 2a 45 6e 63 6f 64 69 6e 67 29 2e 44 65 63 6f 64 65 53 74 72 69 6e 67 }
$c = { (45 | 46) 0f b6 ( 2c | 24 ) ( 02 | 22 ) 45 31 ( ea | e1 ) }
condition:
Macho and all of them
}
rule XProtect_MACOS_e71e847
{
meta:
description = "MACOS.e71e847"
strings:
$a = { 73 70 6d 44 6f 6d 61 69 6e }
$b = { 65 78 74 49 64 50 61 72 61 6d }
$c = { 69 64 50 61 72 61 6d }
$d = { 6c 6f 67 67 69 6e 67 55 72 6c }
$e = { 73 72 63 68 50 72 6f 78 79 55 52 4c }
$f = { 67 65 74 4c 6f 67 67 69 6e 67 55 72 6c }
$g = { 53 61 66 61 72 69 45 78 74 65 6e 73 69 6f 6e 56 69 65 77 43 6f 6e 74 72 6f 6c 6c 65 72 }
$h = { 70 6f 70 6f 76 65 72 56 69 65 77 43 6f 6e 74 72 6f 6c 6c 65 72 }
condition:
Macho and filesize < 500KB and all of them
}
rule XProtect_MACOS_1940318
{
meta:
description = "MACOS.1940318"
strings:
$a = { 42 30 4C 30 FF 8D 51 29 81 F9 D5 00 00 00 41 0F 4F D4 42 30 14 30 8D 4A 29 81 FA D5 00 00 00 41 0F 4F CC 48 83 C0 02 48 3D 01 74 05 00 75 }
condition:
Macho and filesize < 600KB and $a
}
rule XProtect_MACOS_275ff12
{
meta:
description = "MACOS.275ff12"
strings:
$a = { 69 00 6f 00 72 00 65 00 67 00 20 00 2d 00 72 00 64 00 31 00 20 00 2d 00 63 00 20 00 49 00 4f 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 45 00 78 00 70 00 65 00 72 00 74 00 44 00 65 00 76 00 69 00 63 00 65 00 20 00 7c 00 20 00 61 00 77 00 6b 00 20 00 27 00 2f 00 49 00 4f 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 55 00 55 00 49 00 44 00 2f 00 20 00 7b 00 20 00 73 00 70 00 6c 00 69 00 74 00 28 00 24 00 30 00 2c 00 20 00 6c 00 69 00 6e 00 65 00 2c 00 20 00 22 00 5c 00 22 00 22 00 29 00 3b 00 20 00 70 00 72 00 69 00 6e 00 74 00 66 00 28 00 22 00 25 00 73 00 22 00 2c 00 20 00 6c 00 69 00 6e 00 65 00 5b 00 34 00 5d 00 29 00 3b 00 20 00 7d 00 27 00 }
$b = { 5f 6b 66 75 6e 3a 23 6d 61 69 6e 28 29 }
condition:
Macho and all of them
}
rule XProtect_MACOS_7c241b4
{
meta:
description = "MACOS.7c241b4"
strings:
$a1 = { 5f 54 72 61 6e 73 66 6f 72 6d 50 72 6f 63 65 73 73 54 79 70 65 }
$a2 = { 5f 69 6e 66 6c 61 74 65 49 6e 69 74 }
$b1 = { 90 4? 63 c? 48 8? 0d ?? ?? 00 00 32 14 08 4c 39 fb }
$b2 = { 49 63 c6 48 8d 0d ?? ?? 00 00 44 32 3c 08 90 48 8b 85 78 ff ff ff 48 3b 45 80 }
$b3 = { ff cb [0-2] 48 63 c3 48 8b (15 | 0d) ?? ?? 00 (00 | 00 44) 32 ?? ?? 48 8b ?5 [1-4] 48 3b ?5 }
condition:
Macho and any of ( $a* ) and any of ( $b* )
}
rule XProtect_MACOS_54d6414
{
meta:
description = "MACOS.54d6414"
strings:
$a = { 23 21 }
$b1 = { 6d 6b 74 65 6d 70 }
$b2 = { 74 61 69 6c 20 2d 63 20 22}
$b3 = { 66 75 6e 7a 69 70 20 2d 22}
$b4 = { 63 68 6d 6f 64 20 2b 78 }
$b5 = { 6e 6f 68 75 70 }
$c1 = { 50 4b 03 04 }
condition:
filesize < 100KB and $a at 0 and (all of ($b*)) and $c1
}
rule XProtect_MACOS_2b50ea5
{
meta:
description = "MACOS.2b50ea5"
strings:
$string_1 = { 43 61 6e 6e 6f 74 20 72 65 6d 6f 76 65 20 6f 6c 64 20 66 69 6c 65 }
$string_2 = { 2f 62 69 6e 2f 62 61 73 68 }
$string_3 = { 56 65 72 73 69 6f 6e 20 64 65 63 6f 64 65 64 }
$string_4 = { 76 65 72 73 69 6f 6e 49 73 4f 4b }
$string_5 = { 73 6f 72 74 65 65 64 43 69 74 79 4c 69 73 74 }
$string_6 = { 5f 75 70 64 61 74 65 50 61 74 68 }
condition:
Macho and filesize < 1MB and all of them
}
rule XProtect_MACOS_f5d33c9
{
meta:
description = "MACOS.f5d33c9"
strings:
$a1 = { 23 21 }
$b1 = { 6d 6b 74 65 6d 70 20 2d 74 }
$b2 = { 74 61 69 6c [1-2] 2d 63 }
$b3 = { 24 30 [1-3] 7c [1-3] 66 75 6e 7a 69 70 [1-3] 2d [5-9] [1-3] 3e [1-3] 24 }
$b4 = { 63 68 6d 6f 64 [1-3] 2b 78 }
$b5 = { 6b 69 6c 6c 61 6c 6c [1-3] 54 65 72 6d 69 6e 61 6c }
$b6 = { 50 4b 03 04 14 }
condition:
filesize < 100KB and $a1 at 0 and all of ($b*)
}
rule XProtect_MACOS_11eaac1
{
meta:
description = "MACOS.11eaac1"
strings:
$a1 = { 23 21 }
$b1 = { 74 61 69 6c 20 2b }
$b2 = { 66 75 6e 7a 69 70 20 2d }
$b3 = { 6d 6b 74 65 6d 70 20 2d 64 20 2d 74 20 78 }
$b4 = { 63 68 6d 6f 64 20 2d 52 [0-1] 20 37 35 35 }
$b5 = { 6b 69 6c 6c 61 6c 6c 20 [0-3] 54 65 72 6d 69 6e 61 6c }
$b6 = { 6e 6f 68 75 70 20 24 54 4d 50 44 49 52 2f 2a 2e 61 70 70 2f 43 6f 6e 74 65 6e 74 73 2f 4d 61 63 4f 53 2f }
$c1 = { 50 4b 03 04 0a }
condition:
filesize < 500KB and $a1 at 0 and 4 of ($b*) and $c1
}
rule XProtect_MACOS_0e32a32
{
meta:
description = "MACOS.0e32a32"
strings:
$a = { 23 21 }
$b1 = { ?? 3d 22 ?? 22 3b ?? 3d 22 ?? 22 3b ?? 3d 22 ?? 22 3b ?? 3d 22 ?? 22 3b ?? 3d 22 ?? 22 3b }
$b2 = { 6d 6b 74 65 6d 70 20 2d 64 20 2f 74 6d 70 }
$b3 = { 24 7b ?? 7d 24 7b ?? 7d 24 7b ?? 7d 24 7b ?? 7d 24 7b ?? 7d 24 7b ?? 7d 24 7b ?? 7d 20 24 7b ?? 7d 24 7b ?? 7d 24 7b ?? 7d }
$b4 = { 6e 6f 68 75 70 20 2f 62 69 6e 2f 62 61 73 68 20 2d 63 20 22 65 76 61 6c }
$c1 = { 27 5c 2e 28 63 6f 6d 6d 61 6e 64 29 24 27 }
$c2 = { 55 32 46 73 64 47 56 6b 58 31 }
$c3 = { 6b 69 6c 6c 61 6c 6c 20 54 65 72 6d 69 6e 61 6c }
condition:
filesize < 10KB and $a at 0 and (all of ($b*) or all of ($c*))
}
rule XProtect_MACOS_2afe6bd
{
meta:
description = "MACOS.2afe6bd"
strings:
$a1 = { bf 0a [0-3] e8 ?? ?? ?? ?? 48 ?? 6d 6d 6d 6d 6d 6d 6d 6d 48 89 08 [0-4] 66 c7 ?? ?? ?? [0-1] ?? c7 ?? ?? }
$a2 = { BF 09 00 00 00 E8 ?? ?? 00 00 48 B9 53 53 53 53 53 53 53 53 48 89 08 C6 ?? ?? ?? C6 00 ?? ?? 40 ?? }
$b1 = { e8 ed 8d d2 e8 ed ad f2 e8 ed cd f2 e8 ed ed f2 08 20 00 a9 08 e0 00 f8 c8 0d 80 52 08 34 00 39 }
$b2 = { A8 AD 8D D2 A8 AD AD F2 A8 AD CD F2 A8 AD ED F2 08 00 00 F9 ?? ?? 80 52 }
$c1 = { 48 8D ?? ?? 23 00 00 48 ?? ?? FE FF FF FF E8 ?? ?? 00 00 48 89 ?? ?? ?? 48 85 C0 0F ?? ?? 01 00 00 48 8D ?? ?? ?? 00 00 48 ?? ?? FE FF FF FF E8 ?? ?? 00 00 48 89 ?? ?? ?? 48 85 ?? 0F 84 ?? ?? 00 00 48 8D ?? ?? ?? 00 00 48 8D ?? ?? ?? 00 00 E8 ?? ?? 00 00 48 85 C0 0F ?? ?? ?? 00 00 48 ?? ?? 48 89 ?? ?? ?? 31 F6 BA 02 00 00 00 E8 ?? 02 00 00 48 8B ?? ?? ?? E8 ?? 02 00 00 31 FF 48 89 ?? ?? ?? }
$c2 = { E1 10 01 10 1F 20 03 D5 20 00 80 92 B7 00 00 94 E0 1B 00 F9 00 0E 00 B4 A1 10 01 70 1F 20 03 D5 20 00 80 92 B1 00 00 94 60 ?? 00 ?? F4 03 00 AA 40 10 01 30 1F 20 03 D5 81 11 01 50 1F 20 03 D5 B0 00 00 94 80 0C 00 B4 F7 03 00 AA F4 17 00 F9 01 00 80 D2 42 00 80 52 B3 00 00 94 E0 03 17 AA B4 00 00 94 E0 03 F8 B7 F4 03 00 AA E0 03 17 AA }
$d1 = { 5f 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 45 78 65 63 75 74 65 57 69 74 68 50 72 69 76 69 6c 65 67 65 73 }
$d2 = { 5f 43 46 42 75 6e 64 6c 65 47 65 74 56 65 72 73 69 6f 6e 4e 75 6d 62 65 72 }
$e1 = { 5f 67 65 74 5f 69 6e 73 74 61 6c 6c 65 72 5f 6e 73 73 74 72 5f 63 6f 6e 73 74 }
$e2 = { 5f 67 65 74 5f 69 6e 73 74 61 6c 6c 65 72 5f 63 73 74 72 5f 63 6f 6e 73 74 }
$e3 = { 5f 67 65 74 5f 61 75 74 68 5f 72 65 66 }
$e4 = { 5f 72 75 6e 5f 61 73 5f 72 6f 6f 74 }
$f1 = { 5f 43 46 42 75 6e 64 6c 65 47 65 74 56 65 72 73 69 6f 6e 4e 75 6d 62 65 72 00 90 00 72 ?? 01 15 40 5f 43 46 53 74 72 69 6e 67 47 65 74 43 53 74 72 69 6e 67 50 74 72 }
condition:
Macho and filesize < 1MB and ( (all of ($e*)) or ((all of ($a*) or all of ($b*) or all of ($c*)) and (all of ($d*))) and all of ($f*) )
}
rule XProtect_MACOS_4d60c89
{
meta:
description = "MACOS.4d60c89"
strings:
$a1 = { 23 21 }
$b1 = { 5f 70 6b 67 5f 69 6e 73 74 61 6c 6c 5f }
$b2 = { 70 75 62 6c 69 73 68 65 72 5f 69 64 }
$b3 = { 70 61 67 65 5f 69 64 }
$b4 = { 50 41 47 45 5f 49 44 }
$b5 = { 70 72 6f 64 75 63 74 56 65 72 73 69 6f 6e }
$b6 = { 63 6f 6d 2e 61 70 70 6c 65 2e 6d 65 74 61 64 61 74 61 3a 6b 4d 44 49 74 65 6d 57 68 65 72 65 46 72 6f 6d 73 }
$b7 = { 5c 22 65 76 65 6e 74 5c 22 3a 20 5c 22 73 75 63 63 65 73 73 5c 22 }
$b8 = { 5c 22 65 76 65 6e 74 5c 22 3a 20 5c 22 73 74 61 72 74 5c 22 }
$c1 = { 73 79 73 74 65 6d 5f 70 72 6f 66 69 6c 65 72 20 53 50 48 61 72 64 77 61 72 65 44 61 74 61 54 79 70 65 20 7c 20 61 77 6b }
$c2 = { 6c 61 75 6e 63 68 63 74 6c 20 6c 6f 61 64 20 2d 77 }
$c3 = { 69 6f 72 65 67 20 2d 61 64 32 20 2d 63 20 49 4f 50 6c 61 74 66 6f 72 6d 45 78 70 65 72 74 44 65 76 69 63 65 }
$c4 = { 73 77 5f 76 65 72 73 20 2d 70 72 6f 64 75 63 74 }
$c5 = { 64 65 66 61 75 6c 74 73 20 77 72 69 74 65 20 22 24 70 6c 69 73 74 4c 41 22 }
$c6 = { 73 75 64 6f 20 63 75 72 6c }
$c7 = { 6f 73 76 65 72 73 69 6f 6e }
$c8 = { 57 68 65 72 65 46 72 6f 6d }
$c9 = { 77 68 65 72 65 46 72 6f 6d }
$c10 = { 53 74 61 72 74 49 6e 74 65 72 76 61 6c }
$c11 = { 52 75 6e 41 74 4c 6f 61 64 }
condition:
filesize < 10KB and $a1 at 0 and 4 of ($b*) and (6 of ($c*))
}
rule XProtect_MACOS_74416b0
{
meta:
description = "MACOS.74416b0"
strings:
$a1 = { 4d 41 43 48 49 4e 45 49 44 3d 22 24 28 69 6f 72 65 67 20 2d 61 64 32 20 2d 63 20 49 4f 50 6c 61 74 66 6f 72 6d 45 78 70 65 72 74 44 65 76 69 63 65 20 7c 20 78 6d 6c 6c 69 6e 74 20 2d 2d 78 70 61 74 68 20 27 2f 2f 6b 65 79 5b 2e 3d 22 49 4f 50 6c 61 74 66 6f 72 6d 55 55 49 44 22 5d 2f 66 6f 6c 6c 6f 77 69 6e 67 2d 73 69 62 6c 69 6e 67 3a 3a 2a 5b 31 5d 2f 74 65 78 74 28 29 27 20 2d 29 22 3b 43 4f 4e 54 45 4e 54 3d 24 28 63 75 72 6c 20 2d 2d 63 6f 6e 6e 65 63 74 2d 74 69 6d 65 6f 75 74 20 39 30 }
$a2 = { 65 76 61 6c 20 22 24 43 4f 4e 54 45 4e 54 22 }
$a3 = { 5f 73 79 73 74 65 6d }
$b1 = { 49 89 C7 48 BF 2F 75 73 72 2F 73 62 69 48 BE 6E 2F 63 68 6F 77 6E EF }
$b2 = { 49 89 C6 48 BF 2F 62 69 6E 2F 63 68 6D 48 BE 6F 64 00 00 00 00 00 EA }
$b3 = { 28 69 6f 72 65 67 20 2d 61 64 32 20 2d 63 20 49 4f 50 6c 61 74 66 6f 72 6d 45 78 70 65 72 74 44 65 76 69 63 65 20 7c 20 78 6d 6c 6c 69 6e 74 20 2d 2d 78 70 61 74 68 20 27 2f 2f 6b 65 79 5b 2e 3d 22 49 4f 50 6c 61 74 66 6f 72 6d 55 55 49 44 22 5d 2f 66 6f 6c 6c 6f 77 69 6e 67 2d 73 69 62 6c 69 6e 67 3a 3a 2a 5b 31 5d }
$b4 = { 28 73 77 5f 76 65 72 73 20 2d 70 72 6f 64 75 63 74 4e 61 6d 65 29 00 00 00 00 00 00 00 00 00 00 28 73 77 5f 76 65 72 73 20 2d 70 72 6f 64 75 63 74 56 65 72 73 69 6f 6e 29 }
$b5 = { 48 B9 6F 73 5F 76 65 72 73 69 }
$b6 = { 48 B8 6E 6F 74 5F 6C 61 75 6E 48 89 05 6E A2 00 00 48 B8 63 68 65 64 00 00 00 EC }
condition:
filesize < 100KB and Macho and ((all of ($a*)) or (all of ($b*)))
}
rule XProtect_MACOS_e16be2c
{
meta:
description = "MACOS.e16be2c"
strings:
$a = { 80 7d ?? 00 b8 ?? ?? ?? ?? b9 ?? ?? ?? ?? 0f 45 c1 ( e9 | eb ) ?? ?? ?? ?? }
$b = { 53 61 66 61 72 69 45 78 74 65 6e 73 69 6f 6e 48 61 6e 64 6c 65 72 }
$c = { 73 79 73 63 74 6c }
$d = { 49 4f 53 65 72 76 69 63 65 47 65 74 4d 61 74 63 68 69 6e 67 53 65 72 76 69 63 65 }
condition:
filesize < 500KB and Macho and all of them
}
rule XProtect_MACOS_1373c52
{
meta:
description = "MACOS.1373c52"
strings:
$a = { 48 8d b5 58 ff ff ff e8 ?? ?? ?? ?? 49 89 c4 66 0f 6f 05 09 3e 00 00 f3 0f 7f 40 10 4c 8d 68 20 44 88 78 20 48 8d 58 21 48 8b 7d c8 e8 ?? ?? ?? ?? 4c 89 ef 48 89 de 4c 8d 6d 90 e8 ?? ?? ?? ?? 4c 89 e7 e8 ?? ?? ?? ?? 48 8b 5d 80 48 ff c3 70 ?? }
condition:
filesize < 200KB and Macho and $a
}
rule XProtect_MACOS_6e7d4c2
{
meta:
description = "MACOS.6e7d4c2"
strings:
$a1 = { 73 65 74 44 69 73 74 72 69 62 75 74 65 72 }
$a2 = { 73 65 74 44 65 76 69 63 65 49 44 }
$a3 = { 73 65 74 43 68 61 6e 6e 65 6c 49 44 }
$a4 = { 73 65 74 49 70 41 64 64 72 65 73 73 }
$a5 = { 73 65 74 42 61 72 63 6f 64 65 49 44 }
$a6 = { 73 65 74 43 48 }
$a7 = { 73 65 74 46 46 }
$a8 = { 73 65 74 53 61 66 61 72 69 45 58 }
$b1 = { 49 4e 43 68 72 6f 6d 65 41 6e 64 46 46 53 65 74 74 65 72 }
$b2 = { 49 4e 41 70 53 65 74 74 65 72 }
$b3 = { 49 4e 49 6e 73 74 61 6c 6c 65 72 46 6c 6f 77 }
$c = { 48 8b 85 f0 fe ff ff 48 89 c7 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 bd c0 fe ff ff 48 89 cf 48 89 c2 ff ?? ?? ?? ?? ?? 48 89 c7 e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 8b 8d c0 fe ff ff 48 89 cf 48 89 c2 48 89 85 b8 fe ff ff ff ?? ?? ?? ?? ?? 48 8b 85 b8 fe ff ff 48 89 c7 ff ?? ?? ?? ?? ?? 45 31 c0 44 89 c6 48 8d 45 e0 48 89 c7 e8 ?? ?? ?? ?? 48 81 c4 50 01 00 00 5d c3 }
condition:
Macho and filesize < 1MB and ( ( all of ( $a* ) and all of ( $b* ) ) or $c )
}
rule XProtect_MACOS_1f26189
{
meta:
description = "MACOS.1f26189"
strings:
$a1 = { 70 72 6F 63 65 73 73 49 6E 66 6F 00 6F 70 65 72 61 74 69 6E 67 53 79 73 74 65 6D 56 65 72 73 69 6F 6E 00 }
$a2 = { 49 4F 45 74 68 65 72 6E 65 74 49 6E 74 65 72 66 61 63 65 00 49 4F 50 72 69 6D 61 72 79 49 6E 74 65 72 66 61 63 65 00 49 4F 50 72 6F 70 65 72 74 79 4D 61 74 63 68 00 49 4F 53 65 72 76 69 63 65 00 49 4F 4D 41 43 41 64 64 72 65 73 73 00 49 4F 50 6C 61 74 66 6F 72 6D 53 65 72 69 61 6C 4E 75 6D 62 65 72 00 49 4F 50 6C 61 74 66 6F 72 6D 55 55 49 44 00 }
$b1 = { 0F 28 ?? ?? ?? ?? 00 0F 29 ?? ?? ?? ?? 00 48 8D ?? ?? ?? ?? 00 [0-20] 48 ?? ?? ?? ?? ?? 00 C7 05 5B B1 05 00 B0 ED F8 F0 [0-20] C6 ?? ?? ?? ?? 00 ?? 48 8D ?? ?? ?? ?? 00 48 ?? ?? ?? DA FE FF E8 ?? ?? ?? 00 48 8D ?? ?? ?? ?? 00 }
$b2 = { C7 45 ?? ?? 00 00 00 83 7D ?? ?? 7C ?? 48 63 45 ?? F2 48 0F ?? 04 ?? F2 0F 51 C0 F2 0F 2C C0 48 63 4D ?? 88 84 0B ?? 00 00 00 8B 45 ?? 83 C0 ?? 89 45 ?? EB ?? EB ?? }
condition:
filesize < 1MB and Macho and all of ($a*) and any of ($b*)
}
rule XProtect_MACOS_8f20223
{
meta:
description = "MACOS.8f20223"
strings:
$a = { 48 83 c? 77 (0f | 70) ?? }
$b = { 5f 43 47 44 69 73 70 6c 61 79 4d 6f 76 65 43 75 72 73 6f 72 54 6f 50 6f 69 6e 74 }
condition:
filesize < 500KB and Macho and all of them
}
rule XProtect_MACOS_1c119be
{
meta:
description = "MACOS.1c119be"
strings:
$a = { 70 72 65 70 61 72 65 5f 73 65 61 72 63 68 }
$b = { 65 78 65 63 75 74 65 5f 73 65 61 72 63 68 }
$c = { 67 65 74 51 75 65 72 79 50 61 72 74 }
$d = { 53 65 61 72 63 68 50 72 65 66 69 78 65 73 }
$e = { 49 67 6e 6f 72 65 44 6f 6d 61 69 6e 73 }
$f = { 53 65 61 72 63 68 65 73 43 6c 6f 75 64 }
$g = { 53 65 61 72 63 68 65 73 4e 65 74 77 6f 72 6b }
$h = { 48 ?? 71 75 65 72 79 00 00 00 }
$i = { 48 ?? 72 65 73 65 74 20 53 65 }
$j = { 48 ?? 74 74 69 6e 67 73 00 }
condition:
filesize < 100KB and Macho and 3 of them
}
rule XProtect_MACOS_449a7ed
{
meta:
description = "MACOS.449a7ed"
strings:
$a1 = { 63 6c 6f 73 65 64 69 72 00 5f 6d 65 6d 63 68 72 00 5f 6d 65 6d 63 6d 70 00 5f 6d 65 6d 63 70 79 00 5f 6d 65 6d 73 65 74 00 5f 6f 70 65 6e 64 69 72 24 49 4e 4f 44 45 36 34 00 5f 72 61 6e 64 00 5f 72 65 61 64 64 69 72 24 49 4e 4f 44 45 36 34 00 5f 73 72 61 6e 64 00 5f 73 74 61 74 24 49 4e 4f 44 45 36 34 00 5f 73 74 72 63 70 79 00 5f 73 74 72 6c 65 6e 00 5f 73 79 73 74 65 6d 00 5f 74 69 6d 65 00 5f 76 73 6e 70 72 69 6e 74 66 00 64 79 6c 64 5f }
$a2 = { 48 89 7D F0 48 C7 45 F8 ?? 00 00 00 E8 3B 2D 00 00 B9 ?? 00 00 00 48 98 31 D2 48 F7 F1 48 8D ?? ?? 30 00 00 0F BE 04 ?? 48 83 C4 ?? }
$a3 = { 48 89 ?? 48 89 ?? E8 45 ?? 00 00 48 8D 45 ?? 48 8D ?? F0 FE FF FF 48 89 48 ?? 48 8D 4D ?? 48 89 48 ?? C7 40 04 ?? 00 00 00 C7 00 ?? 00 00 00 48 8D ?? ?? E8 7C ?? 00 00 49 89 C4 48 63 5D BC 4C 89 FF E8 9D ?? 00 00 48 8D ?? ?? 4C 89 ?? 48 89 ?? 48 89 ?? E8 0F ?? 00 00 89 45 ?? }
condition:
filesize < 500KB and Macho and all of them
}
rule XProtect_MACOS_d444820
{
meta:
description = "MACOS.d444820"
strings:
$a1 = { 70 74 68 72 65 61 64 5f 6b 65 79 5f 63 72 65 61 74 65 00 90 00 72 f8 01 15 40 5f 70 74 68 72 65 61 64 5f 6f 6e 63 65 00 90 00 72 80 02 15 40 5f 70 74 68 72 65 61 64 5f 73 65 74 73 70 65 63 69 66 69 63 00 90 00 72 88 02 15 40 5f 73 69 67 61 63 74 69 6f 6e 00 90 00 72 90 02 15 40 5f 73 69 67 6c 6f 6e 67 6a 6d 70 00 90 00 72 98 02 15 40 5f 73 69 67 73 65 74 6a 6d 70 }
$a2 = { 3c 6b 65 79 3e 63 6f 6d 2e 61 70 70 6c 65 2e 73 65 63 75 72 69 74 79 2e 63 73 2e 61 6c 6c 6f 77 2d 75 6e 73 69 67 6e 65 64 2d 65 78 65 63 75 74 61 62 6c 65 2d 6d 65 6d 6f 72 79 3c 2f 6b 65 79 3e }
$a3 = { 5f 73 69 67 6e 61 6c 5f 68 61 6e 64 6c 65 72 }
$a4 = { 5f 74 72 79 5f 63 61 74 63 68 5f 69 6e 69 74 }
$a5 = { BA ?? 00 00 00 B8 01 00 00 00 EB ?? 66 0F 1F 84 00 ?? ?? 00 00 48 83 C0 02 89 CA 48 3D ?? ?? ?? ?? 74 ?? 42 30 54 30 ?? 83 C2 ?? 31 C9 BE 00 00 00 00 81 FA FE 00 00 00 7F ?? 89 D6 42 30 34 30 83 C6 ?? 81 FE FE 00 00 00 7F ?? 89 F1 EB ?? }
condition:
Macho and filesize < 500KB and all of them
}
rule XProtect_MACOS_8a20735
{
meta:
description = "MACOS.8a20735"
strings:
$a1 = { 5f 67 65 74 78 61 74 74 72 }
$a2 = { 5f 73 79 73 74 65 6d }
$a3 = { 5f 75 75 69 64 5f 67 65 6e 65 72 61 74 65 5f 72 61 6e 64 6f 6d }
$b1 = { 5f 54 72 61 6e 73 66 6f 72 6d 50 72 6f 63 65 73 73 54 79 70 65 }
$b2 = { 5f 61 63 63 65 73 73 00 5f 63 68 6d 6f 64 00 5f 64 6c 63 6c 6f 73 65 00 5f 64 6c 6f 70 65 6e 00 5f 64 6c 73 79 6d 00 5f 66 63 6c 6f 73 65 00 5f 66 65 6f 66 00 5f 66 66 6c 75 73 68 00 5f 66 67 65 74 73 00 5f 66 6f 70 65 6e 00 5f 66 72 65 61 64 00 5f 66 72 65 65 00 5f 66 73 65 65 6b 00 5f 66 73 65 65 6b 6f 00 5f 66 74 65 6c 6c 6f 00 5f 66 77 72 69 74 65 00 5f 6b 43 46 41 6c 6c 6f 63 61 74 6f 72 }
$c1 = { A8 01 75 02 EB 21 C6 03 01 48 8D 7D D8 BE 01 00 00 00 ?? ?? ?? ?? ?? 48 8B 45 D8 48 89 43 08 48 89 DF ?? ?? ?? ?? ?? 48 89 DF ?? ?? ?? ?? ?? A8 01 75 02 EB 4E 48 8B 5B 08 48 8B 75 D0 4C 8D 75 80 4C 89 F7 ?? ?? ?? ?? ?? 48 89 DF 4C 89 F6 ?? ?? ?? ?? ?? EB 00 48 89 C3 48 8D 7D 80 ?? ?? ?? ?? ?? }
condition:
Macho and filesize < 250KB and (all of ($a*) or all of ($b*)) and $c1
}
rule XProtect_MACOS_e3548bb
{
meta:
description = "MACOS.e3548bb"
strings:
$a1 = { 5f 49 4f 53 65 72 76 69 63 65 4d 61 74 63 68 69 6e 67 }
$a2 = { 5f 49 4f 53 65 72 76 69 63 65 47 65 74 4d 61 74 63 68 69 6e 67 53 65 72 76 69 63 65 }
$a3 = { 5f 49 4f 52 65 67 69 73 74 72 79 45 6e 74 72 79 43 72 65 61 74 65 43 46 50 72 6f 70 65 72 74 79 }
$a4 = { 48 89 ?? ?? 48 89 ?? 4C 89 ?? 48 8D ?? ?? ?? 00 00 41 FF ?? 48 89 ?? E8 37 ?? 00 00 48 89 ?? ?? 48 89 ?? ?? }
$a5 = { 44 89 7C ?? ?? C1 E3 ?? C1 E5 ?? 0F B7 ?? 09 D9 41 0F B6 ?? 09 ?? 89 54 ?? ?? 48 8D 74 ?? ?? BF ?? 00 00 00 FF ?? }
condition:
filesize < 500KB and Macho and all of them
}
rule XProtect_MACOS_71915a8
{
meta:
description = "MACOS.71915a8"
strings:
$shebang = "#!"
$a = "zsh"
$b = "\\U00000"
$c = "${"
$d = "rev)"
condition:
filesize < 10KB and $shebang at 0 and $a and #b > 15 and #c > 100 and $d
}
rule XProtect_MACOS_260ae81
{
meta:
description = "MACOS.260ae81"
strings:
$s1 = { 4D 65 64 69 61 52 65 6D 6F 74 65 2E 61 70 70 }
$s2 = { 57 61 74 63 68 43 61 74 2E 61 70 70 }
$s3 = { 73 77 5F 76 65 72 73 20 2D 70 72 6F 64 75 63 74 4E 61 6D 65 }
$s4 = { 73 77 5F 76 65 72 73 20 2D 70 72 6F 64 75 63 74 56 65 72 73 69 6F 6E }
$s5 = { 73 77 5F 76 65 72 73 20 2D 62 75 69 6C 64 56 65 72 73 69 6F 6E }
$s6 = { 77 68 6F 61 6D 69 }
$s7 = { 70 73 20 2D 65 20 2D 6F 20 63 6F 6D 6D 61 6E 64 }
$s8 = { 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 4D 61 63 69 6E 74 6F 73 68 3B 20 49 6E 74 65 6C 20 4D 61 63 20 4F 53 20 58 20 31 30 5F 31 33 5F 36 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F 36 30 35 2E 31 2E 31 35 20 28 4B 48 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 56 65 72 73 69 6F 6E 2F 31 32 2E 30 2E 32 20 53 61 66 61 72 69 2F 36 30 35 2E 31 2E 31 35 }
condition:
Macho and filesize < 500KB and all of them
}
rule XProtect_MACOS_580a1bc
{
meta:
description = "MACOS.580a1bc"
strings:
$s1 = { 73 77 5F 76 65 72 73 20 2D 70 72 6F 64 75 63 74 4E 61 6D 65 }
$s2 = { 73 77 5F 76 65 72 73 20 2D 70 72 6F 64 75 63 74 56 65 72 73 69 6F 6E }
$s3 = { 73 77 5F 76 65 72 73 20 2D 62 75 69 6C 64 56 65 72 73 69 6F 6E }
$s4 = { 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 4D 61 63 69 6E 74 6F 73 68 3B 20 49 6E 74 65 6C 20 4D 61 63 20 4F 53 20 58 20 31 30 5F 31 33 5F 36 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F 36 30 35 2E 31 2E 31 35 20 28 4B 48 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 56 65 72 73 69 6F 6E 2F 31 32 2E 30 2E 32 20 53 61 66 61 72 69 2F 36 30 35 2E 31 2E 31 35 }
$s5 = { 63 6F 6D 2E 61 70 70 6C 65 2E 77 61 74 63 68 63 61 74 2E 70 6C 69 73 74 }
condition:
Macho and filesize < 500KB and all of them
}
rule XProtect_MACOS_6cb9746
{
meta:
description = "MACOS.6cb9746"
strings:
$a = { 8b 45 bc 48 8b 4d a0 48 63 55 9c 33 04 91 89 04 91 8b 7d bc be 01 00 00 00 e8 ?? ?? ?? ?? 89 45 bc 8b 45 9c 83 c0 01 89 45 9c e9 ?? ?? ?? ?? }
$b = { 48 0f bf 85 ce fe ff ff 0f b6 8c 05 f0 fe ff ff 48 0f bf 85 ce fe ff ff 0f b6 84 05 f0 fe ff ff 0f b6 95 db fe ff ff 89 95 bc fe ff ff 99 8b b5 bc fe ff ff f7 fe 01 d1 89 c8 99 b9 ?? ?? ?? ?? f7 f9 40 88 d7 4c 0f bf 85 ce fe ff ff 42 88 bc 05 f0 fe ff ff 0f b6 85 db fe ff ff 0f bf 8d ce fe ff ff 01 c1 66 89 ca 66 89 95 ce fe ff ff e9 ?? ?? ?? ?? }
condition:
Macho and all of them
}
rule XProtect_MACOS_b17a97e
{
meta:
description = "MACOS.b17a97e"
strings:
$s1 = { 89 C1 C1 E9 07 48 69 C9 11 08 04 02 48 C1 E9 20 69 C9 80 3F 00 00 F7 D9 }
condition:
Macho and filesize < 100KB and all of them
}
rule XProtect_MACOS_2b3d4cb
{
meta:
description = "MACOS.2b3d4cb"
strings:
$s1 = { 43 6F 6E 6E 4D 6F 64 65 6C }
$s2 = { 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 4D 61 63 69 6E 74 6F 73 68 3B 20 49 6E 74 65 6C 20 4D 61 63 20 4F 53 20 58 20 31 30 5F 31 32 5F 36 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F 35 33 37 2E 33 36 20 28 4B 48 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 72 6F 6D 65 2F 36 36 2E 30 2E 33 33 35 39 2E 31 33 39 20 53 61 66 61 72 69 2F 35 33 37 2E 33 36 }
$s3 = { 31 72 65 70 6C 79 46 69 6E 69 73 68 65 64 28 29 }
$s4 = { 32 66 69 6E 69 73 68 65 64 28 29 }
condition:
Macho and filesize < 100KB and all of them
}
rule XProtect_MACOS_8340d93
{
meta:
description = "MACOS.8340d93"
strings:
$s1 = { 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 4D 61 63 69 6E 74 6F 73 68 3B 20 49 6E 74 65 6C 20 4D 61 63 20 4F 53 20 58 20 31 30 5F 31 34 5F 33 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F 36 30 35 2E 31 2E 31 35 20 28 4B 48 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 56 65 72 73 69 6F 6E 2F 31 32 2E 30 2E 32 20 53 61 66 61 72 69 2F 36 30 35 2E 31 2E 31 35 }
$s2 = { 5F 42 61 73 65 36 34 45 6E 63 6F 64 65 }
$s3 = { 5F 43 75 72 6C 53 65 6E 64 52 65 63 76 }
$s4 = { 5F 44 6F 77 6E 41 63 74 }
$s5 = { 5F 47 65 6E 65 72 61 74 65 46 69 6C 65 4E 61 6D 65 }
$s6 = { 5F 47 65 74 49 6E 66 6F 4C 69 6E 65 }
$s7 = { 5F 47 65 74 49 6E 74 65 72 6E 61 6C 49 50 }
$s8 = { 5F 47 65 74 55 73 65 72 4E 61 6D 65 }
$s9 = { 5F 47 65 74 5F 53 57 5F 56 45 52 }
$s10 = { 5F 53 69 6E 53 6C 65 65 70 }
$s11 = { 5F 53 69 6E 5A 65 72 6F 4D 65 6D 6F 72 79 }
condition:
Macho and filesize < 100KB and all of them
}
rule XProtect_MACOS_f4a3a92
{
meta:
description = "MACOS.f4a3a92"
strings:
$s1 = { 6A 47 7A 41 63 4E 36 6B 34 56 73 54 52 6E 39 }
$s2 = { 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 31 30 2E 30 3B 20 57 69 6E 36 34 3B 20 78 36 34 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F 35 33 37 2E 33 36 20 28 4B 48 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 72 6F 6D 65 2F 37 32 2E 30 2E 33 36 32 36 2E 31 32 31 20 53 61 66 61 72 69 2F 35 33 37 2E 33 36 }
condition:
Macho and filesize < 100KB and all of them
}
rule XProtect_MACOS_8d038b3
{
meta:
description = "MACOS.8d038b3"
strings:
$s1 = { 5F 69 73 5F 73 69 65 72 72 61 }
$s2 = { 5F 66 69 6E 64 5F 6D 61 63 68 6F }
$s3 = { 5F 66 69 6E 64 5F 65 70 63 }
$s4 = { 5F 72 65 73 6F 6C 76 65 5F 73 79 6D 62 6F 6C }
$s5 = { 5F 6D 65 6D 6F 72 79 5F 65 78 65 63 32 }
$s6 = { 5F 6D 65 6D 6F 72 79 5F 65 78 65 63 }
$s7 = { 5F 6C 6F 61 64 5F 66 72 6F 6D 5F 6D 65 6D 6F 72 79 }
condition:
Macho and filesize < 100KB and all of them
}
rule XProtect_MACOS_c723519
{
meta:
description = "MACOS.c723519"
strings:
$s1 = { 5F 6D 5F 43 6F 6E 66 69 67 }
$s2 = { 5F 5F 5A 39 53 65 74 43 6F 6E 66 69 67 76 }
$s3 = { 5F 5F 5A 31 30 4C 6F 61 64 43 6F 6E 66 69 67 76 }
$s4 = { 5F 5F 5A 31 30 53 61 76 65 43 6F 6E 66 69 67 76 }
$s5 = { 5F 5F 5A 31 33 4D 65 73 73 61 67 65 54 68 72 65 61 64 76 }
condition:
Macho and filesize < 100KB and all of them
}
rule XProtect_MACOS_bd64115
{
meta:
description = "MACOS.bd64115"
strings:
$s1 = { 68 74 74 70 73 3A 2F 2F 63 6F 69 6E 67 6F 74 72 61 64 65 2E 63 6F 6D 2F 75 70 64 61 74 65 5F 63 6F 69 6E 67 6F 74 72 61 64 65 2E 70 68 70 }
$s2 = { 76 65 72 3D 25 64 26 74 69 6D 65 73 74 61 6D 70 3D 25 6C 64 }
$s3 = { 43 6F 69 6E 47 6F 54 72 61 64 65 20 31 2E 30 20 28 43 68 65 63 6B 20 55 70 64 61 74 65 20 4F 73 78 29 }
$s4 = { 2F 70 72 69 76 61 74 65 2F 74 6D 70 2F 75 70 64 61 74 65 63 6F 69 6E 67 6F 74 72 61 64 65 }
$s5 = { 6B 75 70 61 79 5F 75 70 64 61 74 65 72 5F 6D 61 63 5F 6E 65 77 2D 35 35 35 35 34 39 34 34 39 34 36 35 31 63 37 36 32 65 32 35 33 37 65 31 62 32 66 31 32 64 30 31 64 33 63 34 33 37 63 37 }
condition:
Macho and filesize < 100KB and all of them
}
rule XProtect_MACOS_8032420
{
meta:
description = "MACOS.8032420"
strings:
$a1 = { 0f 28 ?? ?? ?? ?? ?? 0f 28 ?? ?? ?? ?? ?? 0f 57 c8 0f 29 ?? ?? ?? ?? ?? 0f 57 05 e3 13 07 00 0f 29 ?? ?? ?? ?? ?? 80 35 ?? ?? ?? 00 ?? 80 35 ?? ?? ?? 00 ?? 80 35 ?? ?? ?? 00 ?? 80 35 ?? ?? ?? 00 ?? 80 35 ?? ?? ?? 00 ?? }
$a2 = { 48 8d [5] 80 34 08 ?? 48 ff c0 48 ?? ?? ?? 75 ?? 48 8d [5] 48 89 df 4c 89 fe ff }
$a3 = { b8 02 00 00 00 48 ?? ?? ?? ?? ?? ?? 48 c7 c2 ff ff ff ff 80 ?? ?? ?? 48 ff c8 48 39 d0 75 ?? }
$a4 = { 48 c7 c2 ff ff ff ff 80 ?? ?? ?? 48 ff c8 48 39 d0 75 ?? 48 ?? ?? ?? ?? ?? ?? 48 89 df }
$a5 = { 50 58 90 90 90 90 50 58 90 90 90 8a (4c | 8c ) c7 [1-4] 80 ?? ?? 88 (4c | 8c) 07 [1-4] 50 58 90 90 50 58 90 90 48 ff c8 48 ?? ?? ?? 75 ?? }
$a7 = { 50 58 90 50 58 80 f? ?? 88 ( 4c | 5c | 6c | 7c ) ?? ?? 50 58 50 58 }
$b = { 0f 57 c0 f2 48 0f 2a 44 c1 [1-4] f2 0f 51 c0 [0-8] f2 0f 2c d0 88 ?? 08 [1-4] 48 ff c8 48 ?? ?? ?? 75 ?? }
$c = { 8a ?4 c1 ?? [0-3] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ?? ?? 75 ?? }
$d = { 31 C0 48 8D 0D ?? ?? ?? 00 0F 57 C0 F2 48 0F 2A ?? C1 ?? [0-10] F2 0F 51 C0 F2 0F 2C D0 88 ?? 08 ?? [0-10] 48 FF C8 48 83 F8 ?? 75 ?? [0-20] ?? 89 F7 }
$e = { 5f 73 79 73 74 65 6d }
$f = { 5f 6d 65 6d 63 70 79 }
$g = { 8b 42 fc 34 ?? 88 02 8b 42 fc fe c0 34 ?? 88 42 01 8b 42 fc 04 02 34 ?? 88 42 02 8b 42 fc 04 03 34 ?? 88 42 03 8b 42 fc 04 04 34 ?? 88 42 04 8b 42 fc 04 05 34 ?? 88 42 05 8b 42 fc 04 06 34 ?? 88 42 06 8b 42 fc 04 07 34 ?? 88 42 07 8b 42 fc 04 08 34 ?? }
condition:
Macho and filesize < 4MB and (any of ( $a* ) or #g > 50 or $b or $c ) or ( #d > 1 and #e > 1 and #f > 1 )
}
rule XProtect_MACOS_e4644f7
{
meta:
description = "MACOS.e4644f7"
strings:
$a1 = { 5f 73 79 73 74 65 6d }
$a2 = { 62 61 73 65 36 34 20 2d 2d 64 65 63 6f 64 65 20 }
$b1 = { E8 ?? ?? 00 00 31 FF 48 89 C6 E8 ?? ?? 00 00 }
$b3 = { 48 8B ?? ?? ?? 00 00 48 8D ?? ?? ?? 00 00 }
$b4 = { 48 89 ?? E8 ?? 00 00 00 48 8B ?? D0 }
condition:
Macho and all of them
}
rule XProtect_MACOS_3ea93d1
{
meta:
description = "MACOS.3ea93d1"
strings:
$a1 = { 5f 63 68 6d 6f 64 }
$a2 = { 5f 5f 5f 65 72 72 6f 72 }
$b1 = { BE FF 01 00 00 48 ?? ?? E8 ?? 2B 00 00 E8 ?? ?? 00 00 83 38 02 75 ?? 81 ?? CF FA ED FE }
$b2 = { BA 00 10 00 00 31 C9 48 BF 00 00 00 00 01 00 00 00 48 ?? ?? D0 E8 ?? ?? FF FF 4C 8B 75 }
$c1 = { 30 ?? ?? 83 C0 ?? 3D FE 00 00 00 0F 4F C1 48 FF C7 48 39 FE 75 EA }
$c2 = { 80 ?? ?? ?? 48 FF C0 48 39 C6 75 ?? 8B ?? ?? ?? 00 00 83 ?? ?? }
$c3 = { BE 19 00 00 00 BA 72 6F 6D 4D E8 ?? FE FF FF }
condition:
Macho and filesize < 1MB and all of ($a*) and all of ($b*) and any of ($c*)
}
rule XProtect_MACOS_c592675
{
meta:
description = "MACOS.c592675"
strings:
$a = { 4c 75 6d 62 65 72 6a 61 63 6b }
$b = { 69 61 6d 72 6f 6f 74 }
$c = { 53 68 45 78 65 63 75 74 6f 72 }
condition:
Macho and 2 of them
}
rule XProtect_MACOS_489e70f
{
meta:
description = "MACOS.489e70f"
strings:
$a1 = { 66 89 45 d2 48 ?? ?? ?? ?? ?? ?? ba 01 00 00 00 4? 89 ?e 41 ff d? 66 89 45 d4 48 ?? ?? ?? ?? ?? ?? ba 02 00 00 00 4? 89 ?e 41 ff d? 66 89 45 d6 }
$a2 = { 44 89 e0 b9 ab aa aa aa 48 0f af c1 48 c1 e8 22 01 c0 49 89 dd 8d 1c 40 }
$a3 = { 44 89 e1 29 d9 4c 89 ?? 83 e1 fe 66 33 44 0d d2 48 8b ?? }
$a4 = { 66 89 4d ?? 0f be cb 66 89 4d ?? 0f be c0 66 89 45 ?? 48 }
condition:
Macho and filesize < 200KB and any of them
}
rule XProtect_MACOS_8283b86
{
meta:
description = "MACOS.8283b86"
strings:
$a = { 67 65 74 61 64 76 61 6e 63 65 64 6d 61 63 }
$b = { 74 72 61 63 6b 57 65 62 4f 66 66 65 72 73 56 69 65 77 }
$c = { 67 65 74 4f 66 66 65 72 50 61 72 73 65 64 43 6f 75 6e 74 }
$d = { 77 76 47 65 74 50 68 6f 6e 65 52 65 6e 64 6f 6d }
$e = { 48 8B 3D ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? 48 89 ?? ?? 48 8D ?? ?? ?? ?? ?? 48 8D ?? ?? ?? ?? ?? 4C 8D ?? ?? ?? ?? ?? 4C 8D ?? ?? ?? ?? ?? 4C 8B ?? ?? ?? ?? ?? 31 C0 41 FF D7 49 89 C4 48 8B ?? ?? ?? ?? ?? 48 8B ?? ?? ?? ?? ?? 41 FF D7 48 8B 35 ?? ?? ?? ?? 48 89 C7 41 FF D7 48 ?? ?? ?? 4C 8B 35 ?? ?? ?? ?? 48 89 DF 4C 89 F6 41 FF D7 49 89 C5 4C 89 ?? ?? 4C 89 E7 4C 89 F6 41 FF D7 45 85 ED 0F 84 A1 00 00 00 48 8B ?? ?? ?? ?? ?? 48 89 ?? ?? 48 8B ?? ?? ?? ?? ?? 48 89 4D C0 44 89 E9 48 89 4D C8 45 31 ED 45 31 FF 48 89 5D A8 [-] 48 89 DF 4C 8B 75 B8 4C 89 F6 4C 89 EA 4C 8B ?? ?? ?? ?? ?? 41 FF D4 89 C3 44 89 FA 48 8B 7D A0 4C 89 F6 41 FF D4 0F B7 C0 C1 E8 04 31 D8 }
condition:
Macho and filesize < 3000000 and all of them
}
rule XProtect_MACOS_b264ff6
{
meta:
description = "MACOS.b264ff6"
strings:
$a1 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 44 89 ( e8 | e9 | e0 ) 48 ?? ?? ?? 45 31 (ed | e4) 45 31 (f6 | ff) }
$a2 = { 48 ?? ?? ?? 8b ?? ?? 89 ca 48 ?? ?? ?? ?? ?? ?? 48 89 c7 e8 ?? ?? ?? ?? 0f b7 c8 48 ?? ?? ?? 44 ?? ?? ?? 44 89 c6 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d7 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d6 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0f b7 c8 c1 f9 04 44 ?? ?? ?? ?? ?? ?? 41 31 c8 66 44 89 c0 66 89 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0f b7 ?? ?? 4c ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4c 89 ce b0 00 e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d7 48 89 c2 e8 ?? ?? ?? ?? 8b ?? ?? 83 c1 01 89 ?? ?? 3b ?? ?? 0f 83 ?? ?? ?? ?? }
$a3 = { 48 ?? ?? ?? 8b ?? ?? 89 ca 48 ?? ?? ?? ?? ?? ?? 48 89 c7 ff ?? ?? ?? ?? ?? 0f b7 c8 48 ?? ?? ?? 44 ?? ?? ?? 44 89 c6 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d7 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d6 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0f b7 c8 c1 f9 04 44 ?? ?? ?? ?? ?? ?? 41 31 c8 66 44 89 c0 66 89 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0f b7 ?? ?? 4c ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4c 89 ce b0 00 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d7 48 89 c2 ff ?? ?? ?? ?? ?? 8b ?? ?? 83 c1 01 89 ?? ?? 3b ?? ?? 0f 83 ?? ?? ?? ?? }
$a4 = { e8 ?? ?? ?? ?? 48 ?? ?? ?? e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 cf 48 ?? ?? ?? 48 89 d6 48 ?? ?? ?? ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 c7 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 c7 48 89 ca ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 89 d7 48 89 ca 48 89 c1 b0 00 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 89 cf 48 89 c2 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 c7 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 89 c7 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 48 ?? ?? ?? e8 ?? ?? ?? ?? }
$b1 = { 75 73 65 72 45 6e 74 65 72 65 64 46 69 6c 65 6e 61 6d 65 }
$b2 = { 64 69 64 43 61 6e 63 65 6c 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 43 68 61 6c 6c 65 6e 67 65 }
$b3 = { 65 78 65 63 75 74 65 43 6f 6d 6d 61 6e 64 }
$b4 = { 2f 75 73 72 2f 73 62 69 6e 2f 73 79 73 74 65 6d 5f 70 72 6f 66 69 6c 65 72 }
$c = { 00 25 40 25 40 25 40 25 40 00 25 63 00 }
condition:
Macho and filesize < 3000000 and (1 of ($a*)) and (1 of ($b*)) and $c
}
rule XProtect_MACOS_f3edc61
{
meta:
description = "MACOS.f3edc61"
strings:
$a = { 6f 70 65 6e 50 68 6f 74 6f 73 4e 61 67 }
$b = { 73 69 6c 65 6e 74 6c 79 46 69 72 65 55 72 6c }
$c = { 54 72 61 63 6b 4f 66 66 65 72 73 }
$d = { 48 8D 05 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 8B 15 ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 48 89 D7 48 89 C2 48 89 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 89 CF 48 89 C2 FF 15 ?? ?? ?? ?? 41 B8 10 00 00 00 31 F6 41 B9 40 00 00 00 44 89 CA 48 89 85 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 48 89 CF 48 89 85 ?? ?? ?? ?? 4C 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 48 89 C1 48 89 CF 48 8B 95 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 4C 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 83 F8 00 48 89 85 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? }
condition:
Macho and filesize < 1000000 and all of them
}
rule XProtect_MACOS_60a3d68
{
meta:
description = "MACOS.60a3d68"
strings:
$a = { 23 21 }
$b1 = { 6f 70 65 6e 73 73 6c [1-3] 65 6e 63 }
$b2 = { 2d 61 65 73 2d 32 35 36 2d 63 62 63 }
$c1 = { 24 4f 24 50 24 45 24 4e 24 53 24 53 24 4c 20 24 45 24 4e 24 43 }
$c2 = { 2d 24 41 24 45 24 53 2d 32 35 36 2d 63 62 63 }
$d1 = { 24 7b 4f 7d 24 7b 50 7d 24 7b 45 7d 24 7b 4e 7d 24 7b 53 7d 24 7b 53 7d 24 7b 4c 7d 20 24 7b 45 7d 24 7b 4e 7d 24 7b 43 7d }
$d2 = { 2d 24 7b 41 7d 24 7b 45 7d 24 7b 53 7d 2d 32 35 36 2d 63 62 63 }
$e1 = { 2d 62 61 73 65 36 34 }
$e2 = { 2d 61 }
$e3 = { 2d 62 24 7b 41 7d 24 7b 53 7d 24 7b 45 7d 36 34 }
$f = { 2d 64 }
$g1 = { 2d 69 6e }
$g2 = { 2d 6e 6f 73 61 6c 74 }
$g3 = { 2d 73 61 6c 74 }
$g4 = { 2d 6b }
$g5 = { 2d 6f 75 74 }
$g6 = { 2d 70 61 73 73 }
$g7 = { 2d 50 24 41 24 53 24 53 }
$g8 = { 2d 24 7b 50 7d 24 7b 41 7d 24 7b 53 7d 24 7b 53 7d }
$h1 = { 64 64 20 69 66 3d 2f 64 65 76 2f 75 72 61 6e 64 6f 6d 20 62 73 3d 24 28 6a 6f 74 20 2d 72 20 31 20 35 20 31 35 29 }
$h2 = { 62 61 73 65 36 34 20 7c 20 74 72 20 2d 64 63 20 27 61 2d 7a 41 2d 5a 30 2d 39 27 }
$h3 = { 3c 65 6e 63 29 22 }
$h4 = { 52 65 73 6f 75 72 63 65 73 2f 65 6e 63 29 22 }
$h5 = { 73 68 65 6c 6c 5f 65 78 65 63 }
$h6 = { 65 76 61 6c }
$h7 ={ 63 68 6d 6f 64 20 2b 78 20 }
$h8 = { 73 75 62 70 72 6f 63 65 73 73 2e 50 6f 70 65 6e }
condition:
$a at 0 and filesize < 5KB and (all of ($b*) or all of ($c*) or all of ($d*)) and any of ($e*) and $f and any of ($g*) and any of ($h*)
}
rule XProtect_MACOS_5af1486
{
meta:
description = "MACOS.5af1486"
strings:
$a1 = { 00 70 72 6f 6d 70 74 00 69 63 6f 6e 00 }
$a2 = { 00 64 61 74 61 31 00 70 6c 69 73 74 00 }
$b1 = { 55 48 89 e5 48 83 ec 50 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? b9 ?? ?? ?? ?? 89 ca 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 89 c7 48 ?? ?? ?? e8 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 8b ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 c7 48 ?? ?? ?? e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0f 85 ?? ?? ?? ?? 48 ?? ?? ?? 48 83 c4 50 5d c3 e8 ?? ?? ?? ?? }
condition:
Macho and (filesize < 2MB) and all of them
}
rule XProtect_MACOS_03b5cbe
{
meta:
description = "MACOS.03b5cbe"
strings:
$a = { 48 ?? ?? ?? ?? ?? ?? 31 c0 e8 ?? ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 41 ff d6 49 ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? b9 01 00 00 00 41 ff d6 49 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 41 ff d6 84 c0 74 ?? }
$b = { 73 74 61 74 75 73 2e 70 6c 69 73 74 }
$c = { 74 72 69 67 67 65 72 }
condition:
Macho and (filesize < 100KB) and all of them
}
rule XProtect_MACOS_ce3281e
{
meta:
description = "MACOS.ce3281e"
strings:
$a = { 4c ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 89 c7 e8 ?? ?? ?? ?? 49 89 c5 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4c ?? ?? ?? ?? ?? ?? 31 c0 4c 89 f7 4c 89 e9 41 ff d4 48 89 c7 e8 ?? ?? ?? ?? 48 89 c3 4c ?? ?? ?? ?? ?? ?? 4c 89 ef 41 ff d6 4c ?? ?? ?? ?? ?? ?? 31 c0 4c 89 ff 48 89 de e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 41 ff d4 48 ?? ?? ?? ?? ?? ?? 48 89 c7 48 ?? ?? ?? 48 89 da 41 ff d4 49 89 c5 48 ?? ?? ?? ?? ?? ?? 4c 89 ef 41 ff d4 48 89 c7 e8 ?? ?? ?? ?? 48 89 c3 31 c0 4c 89 ff 48 89 de e8 ?? ?? ?? ?? 48 89 df 41 ff d6 4d 85 ed 74 ?? }
$b = { 50 61 74 68 20 74 6f 20 70 72 65 66 3a 20 25 40 }
$c = { 73 65 61 72 63 68 76 }
$d = { 66 6f 72 6d 3d 41 50 4d 43 53 31 }
$e = { 2f 4c 69 62 72 61 72 79 2f 50 72 65 66 65 72 65 6e 63 65 73 2f 70 72 65 66 2e 70 6c 69 73 74 }
$f = { 66 72 3d 61 61 70 6c 77 }
condition:
Macho and (filesize < 100KB) and all of them
}
rule XProtect_MACOS_9bdf6ec
{
meta:
description = "MACOS.9bdf6ec"
strings:
$a1 = { 48 8b 3d ?? ?? ?? ?? e8 ?? ?? ?? ?? 49 89 c4 48 89 df e8 ?? ?? ?? ?? 48 89 cb 48 89 c7 48 89 d6 48 89 da e8 ?? ?? ?? ?? 49 89 c6 48 89 df e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? be 18 00 00 00 ba 07 00 00 00 48 8d 3d ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 89 c3 4c 89 6b 10 48 8d 05 ?? ?? ?? ?? 48 89 45 b0 48 89 5d b8 48 8b 05 ?? ?? ?? ?? 48 89 45 90 c7 45 98 00 00 00 42 c7 45 9c 00 00 00 00 0f 28 45 80 0f 11 45 a0 48 8d 7d 90 e8 ?? ?? ?? ?? 49 89 c7 4c 89 ef e8 ?? ?? ?? ?? 48 89 df e8 ?? ?? ?? ?? 48 8b 35 ?? ?? ?? ?? 4c 89 e7 4c 89 f2 4c 89 f9 e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 4c 89 f7 e8 ?? ?? ?? ?? 48 8b 3d ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 8b 35 ?? ?? ?? ?? 48 89 c7 f3 0f 7e 05 ?? ?? ?? ?? e8 ?? ?? ?? ?? ff 55 c8 a8 01 }
$a2 = { e8 ?? ?? ?? ?? 41 80 e7 01 44 88 78 10 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 89 4b 20 48 89 43 28 48 ?? ?? ?? ?? ?? ?? 48 89 03 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 66 48 0f 6e c0 48 ?? ?? ?? ?? ?? ?? 66 48 0f 6e c8 66 0f 6c c8 f3 0f 7f 4b 10 48 89 df e8 ?? ?? ?? ?? 49 89 c7 48 ?? ?? ?? e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 4c 89 e2 4c 89 f9 e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 4c 89 e7 e8 ?? ?? ?? ?? 4c 89 f7 4c 89 ee e8 ?? ?? ?? ?? }
$a3 = { 48 89 c3 4c 8b 7d b8 4c 89 ef e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4c 89 e7 4c 89 f2 48 89 d9 e8 ?? ?? ?? ?? 48 89 df e8 ?? ?? ?? ?? 4c 89 f7 e8 ?? ?? ?? ?? }
$a4 = { 49 8B ?? 00 4C 89 ?? E8 37 ?? 00 00 48 8D ?? ?? ?? 00 00 48 39 C3 74 ?? 48 8D ?? ?? ?? 00 00 48 BE 00 00 00 00 00 00 00 80 48 09 ?? 48 BF 30 00 00 00 00 00 00 D0 FF 55 ?? EB ?? 48 8D ?? ?? ?? 00 00 48 BE 00 00 00 00 00 00 00 80 48 09 ?? 48 BF 30 00 00 00 00 00 00 D0 E8 6F ?? 00 00 }
$a5 = {48 8B ?? ?? ?? 00 00 4C 8D ?? ?? FF FF FF 31 F6 48 89 DF E8 ?? ?? 00 00 49 89 C6 49 89 D5 48 89 DF 4C 89 E6 41 FF ?? ?? 4C 89 E8 48 C1 ?? ?? 48 3D ?? 00 00 00 0F 87 ?? ?? 00 00 4C 89 E8 48 C1 ?? ?? 3C ?? 0F 84 ?? 00 00 00 3C ?? 74 ?? 3C ?? 0F 84 ?? 00 00 00 4C 89 E8 48 C1 ?? ?? 0F B6 ?? 48 85 DB 75 ?? E9 ?? 00 00 00 49 8B ?? ?? 49 2B ?? ?? 0F 80 ?? ?? 00 00 }
$b1 = { 73 68 6f 77 50 72 65 66 65 72 65 6e 63 65 73 46 6f 72 45 78 74 65 6e 73 69 6f 6e 57 69 74 68 49 64 65 6e 74 69 66 69 65 72 3a 63 6f 6d 70 6c 65 74 69 6f 6e 48 61 6e 64 6c 65 72 3a }
$b2 = { 67 65 74 53 74 61 74 65 4f 66 53 61 66 61 72 69 45 78 74 65 6e 73 69 6f 6e 57 69 74 68 49 64 65 6e 74 69 66 69 65 72 3a 63 6f 6d 70 6c 65 74 69 6f 6e 48 61 6e 64 6c 65 72 3a }
$c1 = { 6d 61 63 62 75 69 6c 64 65 72 5f 62 75 69 6c 64 73 }
$c2 = { 4c 6f 63 61 6c 53 61 66 61 72 69 41 70 70 45 78 74 }
$c3 = { 73 65 61 72 63 68 48 69 73 74 6f 72 79 }
$c4 = { 6d 61 74 63 68 44 61 74 61 54 69 6d 65 72 }
$c5 = { 6f 70 65 6e 50 72 65 66 }
$c6 = { 67 65 74 53 79 73 74 65 6d 55 55 49 44 }
$c7 = { 70 72 6f 63 65 73 73 49 6e 66 6f }
$c8 = { 61 72 67 75 6d 65 6e 74 73 }
$c9 = { 5f 49 4f 53 65 72 76 69 63 65 4d 61 74 63 68 69 6e 67 }
$c10 = { 48 BF 49 4F 50 6C 61 74 66 6F 48 BE 72 6D 55 55 49 44 00 EE }
condition:
Macho and (filesize < 200KB) and (1 of ($a*)) and (all of ($b*)) and (2 of ($c*))
}
rule XProtect_MACOS_e79dc35
{
meta:
description = "MACOS.e79dc35"
strings:
$a = { 73 65 61 72 63 68 [2-12] 2e 61 6b 61 6d 61 69 68 64 2e 6e 65 74 2f }
$b1 = { 49 be 79 73 00 00 00 00 00 ea 49 ?? ?? ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d8 e8 ?? ?? ?? ?? be 02 00 00 00 4c 89 e7 e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 49 81 c6 f5 00 00 00 48 89 df 4c 89 ee 4c 89 f2 e8 ?? ?? ?? ?? 49 89 dd e8 ?? ?? ?? ?? 49 89 c7 41 ?? ?? ?? ?? 4c 89 e3 49 c7 c4 ff ff ff ff 49 d3 e4 49 f7 d4 4d 21 e7 4c 89 f8 48 c1 e8 06 48 ?? ?? ?? ?? 4c 0f a3 f8 0f 83 ?? ?? ?? ?? }
$b2 = { 4c 89 ef e8 ?? ?? ?? ?? 48 ?? 61 62 70 2d 64 61 74 61 48 be 00 00 00 00 00 00 00 e8 e8 ?? ?? ?? ?? 49 89 c4 48 ?? ?? ?? ?? ?? ?? 48 85 ff 75 ?? }
$b3 = { 49 89 c6 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 49 89 c7 4c 8b 6d b8 4c 89 ef e8 ?? ?? ?? ?? 48 8b bd 20 ff ff ff 4c 89 ee e8 ?? ?? ?? ?? 49 89 c4 48 ?? ?? ?? ?? ?? ?? 4c 89 ff 48 89 c2 48 89 d9 e8 ?? ?? ?? ?? 48 89 c3 4c 89 ef e8 ?? ?? ?? ?? 4c 89 e7 e8 ?? ?? ?? ?? 48 85 db 0f 84 ?? ?? ?? ?? }
$b4 = { 48 8d b5 a0 fd ff ff 48 89 c7 e8 ?? ?? ?? ?? 4c 89 fa 48 89 55 a8 49 89 c7 0f 28 ?? ?? ?? ?? ?? 41 0f 11 47 10 48 ?? ?? ?? ?? ?? ?? 66 48 0f 6e c0 b8 02 00 00 00 66 48 0f 6e c8 66 0f 6c c1 66 0f 7f 4d c0 }
$b5 = { 49 ff c7 31 d2 4c 89 f8 48 f7 75 c0 48 8b 5d c8 48 3b 53 10 0f 82 ?? ?? ?? ?? }
$c1 = { 6c 61 73 74 48 65 61 72 74 62 65 61 74 }
$c2 = { 73 65 73 73 69 6f 6e 47 75 69 64 }
$c3 = { 65 78 74 65 6e 73 69 6f 6e 49 64 }
$c4 = { 75 73 65 72 47 75 69 64 }
$c5 = { 41 70 70 45 78 74 48 65 61 72 74 62 65 61 74 }
$c6 = { 69 73 4e 65 77 53 65 61 72 63 68 }
$c7 = { 73 65 6e 64 48 65 61 72 74 62 65 61 74 }
$c8 = { 53 61 66 61 72 69 45 78 74 65 6e 73 69 6f 6e 48 61 6e 64 6c 65 72 }
$c9 = { 6d 65 73 73 61 67 65 52 65 63 65 69 76 65 64 }
$d1 = { 48 89 CA 48 83 E2 FC 48 8D 5A ?? 48 89 DF 48 C1 EF ?? 48 FF C7 89 FE 83 E6 ?? 48 83 FB 0C 73 18 66 0F EF C0 31 FF 66 0F EF C9 48 85 F6 }
$e1 = { 5f 49 4f 53 65 72 76 69 63 65 47 65 74 4d 61 74 63 68 69 6e 67 53 65 72 76 69 63 65 }
$e2 = { 5f 49 4f 53 65 72 76 69 63 65 4d 61 74 63 68 69 6e 67 }
$e3 = { 53 46 53 61 66 61 72 69 50 61 67 65 50 72 6f 70 65 72 74 69 65 73 }
$f1 = { 48 B8 53 55 50 45 52 53 54 52 48 89 85 ?? FE FF FF 48 B8 49 4E 47 44 55 44 45 EF }
$f2 = { 49 FF C7 31 D2 4C 89 F8 48 F7 [2-5] 48 3B 53 10 }
$f3 = { 48 BF 49 4F 50 6C 61 74 66 6F 48 BE 72 6D 55 55 49 44 00 EE }
$f4 = { 48 89 55 C8 0F B6 44 13 20 4C 8B B5 50 FF FF FF 48 8B 8D 58 FF FF FF 48 89 CA 48 C1 EA 3E 80 FA 01 74 2D }
$f5 = { 48 B8 59 57 30 54 64 53 54 52 }
condition:
Macho and (filesize < 2MB) and ((($a or any of ($b*)) and (2 of ($c*))) or (any of ($d*) and (all of ($e*))) or ((all of ($e*)) and 4 of ($f*)))
}
rule XProtect_MACOS_d92d83c
{
meta:
description = "MACOS.d92d83c"
strings:
$a1 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4c 89 ff 41 ff d5 48 ?? ?? ?? c6 03 00 48 ?? ?? ?? ?? ?? ?? 4c 89 f6 41 ff d5 48 ?? ?? ?? ?? ?? ?? 48 89 c7 48 89 da 41 ff d5 48 89 c3 48 ?? ?? ?? ?? ?? ?? 4c 89 ff 48 89 da 41 ff d5 48 ?? ?? ?? ?? ?? ?? 4c 89 ff 41 ff d5 84 c0 74 ?? }
$a2 = { 83 7e f8 00 78 ?? 4c 89 e7 e8 ?? ?? ?? ?? 49 8b 34 24 48 8b 45 c8 42 80 3c 3e 5c 75 ?? 4d 8d 6f 01 4c 3b 6e e8 73 ?? 83 7e f8 00 78 ?? 4c 89 }
$b1 = { 63 6f 6d 2e 6d 6d 2d 69 6e 73 74 61 6c 6c 2d 6d 61 63 6f 73 2e 77 77 77 }
$b2 = { 26 66 75 6e 6e 65 6c 3d }
$b3 = { 4d 4d 5f 50 41 53 53 57 44 }
condition:
Macho and (any of ($a*)) or (all of ($b*))
}
rule XProtect_MACOS_0e62876
{
meta:
description = "MACOS.0e62876"
strings:
$a = { 57 65 62 74 6f 6f 6c 73 43 6f 6e 66 69 67 }
$b = { 53 74 61 72 74 69 6e 67 20 70 72 6f 74 65 63 74 6f 72 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e }
$c = { 6a 73 46 72 6f 6d 41 70 70 6c 65 45 76 65 6e 74 73 45 6e 61 62 6c 65 64 }
$d = { 65 6e 61 62 6c 65 4a 73 46 72 6f 6d 41 70 70 6c 65 45 76 65 6e 74 73 }
$e = { 43 6c 69 63 6b 47 65 6e 65 72 61 74 6f 72 }
$f = { 73 6f 75 74 65 72 }
condition:
Macho and 3 of them
}
rule XProtect_MACOS_de444f2
{
meta:
description = "MACOS.de444f2"
strings:
$a1 = { (48 | 49) 63 ?? 41 32 ?? ?? (88 8D ?? ?? ?? ?? 48 | 48) ?? ?? 74 ?? 88 ?? 48 ?? ?? ?? eb ?? }
$a2 = { 48 8b [2-5] 48 89 ?? 48 f7 d? 48 01 c? 44 88 ?? ?? 48 8b [2-5] 48 89 c? 48 f7 d? 48 03 [2-5] ( 44 88 | 88 0c ) [1-2] 4? 83 f? ?? }
$a3 = { b1 ?? 41 be 01 00 00 00 4c 8d bd 7f ff ff ff 44 89 eb eb ?? }
$a4 = { 41 ff c? 90 49 63 c? 48 ?? ?? ?? ?? ?? ?? ( 44 32 34 0a 48 39 d8 74 ?? | 32 0c 02 88 8d 7f ff ff ff 48 8b 45 88 48 3b 45 90 74 ?? ) }
$a5 = { 90 0f 57 c0 4c 8d 65 80 41 0f 29 04 24 49 c7 44 24 }
$a6 = { ff cb 90 48 63 c3 48 ?? ?? ?? ?? ?? ?? 32 0c 02 48 8b 85 78 ff ff ff 48 3b 45 80 74 ?? }
$a7 = { 45 85 ?? 41 8d 4? ff b? ?? ?? ?? ?? 0f 4e c? 4? 8a ?? ?? b0 4? ff c? 4? 89 c6 }
$a8 = { 44 8a 74 05 b0 48 ff c0 48 89 85 ( a0 fa | 38 f4 ) ff ff }
$a9 = { 46 8a ?4 ?? b0 49 63 c5 48 ?? ?? ?? ?? ?? ?? 8a 04 08 88 85 ?8 f5 ff ff 4? 89 ?d ?8 fa ff ff 4? 89 ?d ?0 fa ff ff 48 83 a5 ?8 fa ff ff 00 4? 89 ?f 6a ?? 5e e8 ?? ?? ?? ?? 44 32 ?? ?8 f5 ff ff 44 88 ?5 ?0 f5 ff ff 48 8d bd ?? fa ff ff 48 8d b5 ?0 f5 ff ff e8 ?? ?? ?? ?? 4? 8? ?? 4? 8d ?5 }
$a10 = { 90 44 89 ff e8 ?? ?? ?? ?? 44 89 ff e8 ?? ?? ?? ?? 44 89 ff e8 ?? ?? ?? ?? 48 89 df 48 8d b5 08 f6 ff ff e8 ?? ?? ?? ?? 48 8b 85 b0 fa ff ff 0f b6 78 10 e8 ?? ?? ?? ?? 90 48 89 df e8 ?? ?? ?? ?? 49 ff c? }
$a11 = { 83 c2 fc 85 d2 6a ?? 58 0f 4e d0 4c 89 ef 48 89 de 6a ff 59 e8 ?? ?? ?? ?? 48 89 df e8 ?? ?? ?? ?? 4c 89 ef e8 ?? ?? ?? ?? 48 8d bd 78 fa ff ff 48 8d b5 98 f5 ff ff e8 ?? ?? ?? ?? 48 8d bd 78 fa ff ff e8 ?? ?? ?? ?? 49 ff c6 }
$a12 = { 0F 57 C0 0F 29 45 B0 48 C7 45 ?? 00 00 00 00 41 BD ?? 00 00 00 41 B6 ?? 31 DB BF ?? 00 00 00 31 C0 41 BF ?? 00 00 00 EB ??45 85 FF 41 8D ?? ?? 41 0F 4E CD 44 0F B6 ?? ?? ?? ?? FF FF 48 8B 45 ?? 48 8B ?? ?? 48 FF C7 41 89 CF 90 90 49 63 CF 46 32 ?? ?? }
$a13 = { 48 63 c3 48 ?? ?? ?? ?? ?? ?? 8a 04 08 42 32 44 2d b0 88 85 70 ff ff ff [2-6] f? 4c 89 e6 e8 ?? ?? ?? ?? 85 db 8d 43 ff 89 c3 ?? [0-4] 0f 4e d? 4c 89 ff 89 de e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 49 ff c5 }
$a14 = { 85 db 41 0f 4e dc 42 8a 4c 2d b0 49 ff c5 }
$a15 = { 49 63 c7 48 ?? ?? ?? ?? ?? ?? 8a 04 08 32 44 1d b0 88 85 70 ff ff ff 4c 89 f7 4c 89 ee e8 ?? ?? ?? ?? 45 85 ff 41 8d 47 ff 41 0f 4e c4 48 ff c3 41 89 c7 }
$b1 = { 41 64 6d 69 6e 20 53 75 63 63 65 73 73 3a 20 25 40 }
$b2 = { 45 72 72 6f 72 3a 20 25 40 }
$b3 = { 40 40 41 70 70 50 61 74 68 40 40 2f 43 6f 6e 74 65 6e 74 73 2f 4d 61 63 4f 53 }
$b4 = { 72 75 6e 41 70 70 }
condition:
Macho and filesize < 15MB and (any of ($a*)) and (any of ($b*))
}
rule XProtect_MACOS_b70290c
{
meta:
description = "MACOS.b70290c"
strings:
$a1 = { (48 | 49) 63 ?? 41 32 ?? ?? (88 8D ?? ?? ?? ?? 48 | 48) ?? ?? 74 ?? 88 ?? 48 ?? ?? ?? eb ?? }
$a2 = { 48 8b [2-5] 48 89 ?? 48 f7 d? 48 01 c? 44 88 ?? ?? 48 8b [2-5] 48 89 c? 48 f7 d? 48 03 [2-5] ( 44 88 | 88 0c ) [1-2] 4? 83 f? ?? }
$a3 = { b1 ?? 41 be 01 00 00 00 4c 8d bd 7f ff ff ff 44 89 eb eb ?? }
$a4 = { 41 ff c? 90 49 63 c? 48 ?? ?? ?? ?? ?? ?? ( 44 32 34 0a 48 39 d8 74 ?? | 32 0c 02 88 8d 7f ff ff ff 48 8b 45 88 48 3b 45 90 74 ?? ) }
$a5 = { 90 0f 57 c0 4c 8d 65 80 41 0f 29 04 24 49 c7 44 24 }
$a6 = { ff cb 90 48 63 c3 48 ?? ?? ?? ?? ?? ?? 32 0c 02 48 8b 85 78 ff ff ff 48 3b 45 80 74 ?? }
$a7 = { 45 85 ?? 41 8d 4? ff b? ?? ?? ?? ?? 0f 4e c? 4? 8a ?? ?? b0 4? ff c? 4? 89 c6 }
$a8 = { 44 8a 74 05 b0 48 ff c0 48 89 85 ( a0 fa | 38 f4 ) ff ff }
$a9 = { 46 8a ?4 ?? b0 49 63 c5 48 ?? ?? ?? ?? ?? ?? 8a 04 08 88 85 ?8 f5 ff ff 4? 89 ?d ?8 fa ff ff 4? 89 ?d ?0 fa ff ff 48 83 a5 ?8 fa ff ff 00 4? 89 ?f 6a ?? 5e e8 ?? ?? ?? ?? 44 32 ?? ?8 f5 ff ff 44 88 ?5 ?0 f5 ff ff 48 8d bd ?? fa ff ff 48 8d b5 ?0 f5 ff ff e8 ?? ?? ?? ?? 4? 8? ?? 4? 8d ?5 }
$a10 = { 90 44 89 ff e8 ?? ?? ?? ?? 44 89 ff e8 ?? ?? ?? ?? 44 89 ff e8 ?? ?? ?? ?? 48 89 df 48 8d b5 08 f6 ff ff e8 ?? ?? ?? ?? 48 8b 85 b0 fa ff ff 0f b6 78 10 e8 ?? ?? ?? ?? 90 48 89 df e8 ?? ?? ?? ?? 49 ff c? }
$a11 = { 83 c2 fc 85 d2 6a ?? 58 0f 4e d0 4c 89 ef 48 89 de 6a ff 59 e8 ?? ?? ?? ?? 48 89 df e8 ?? ?? ?? ?? 4c 89 ef e8 ?? ?? ?? ?? 48 8d bd 78 fa ff ff 48 8d b5 98 f5 ff ff e8 ?? ?? ?? ?? 48 8d bd 78 fa ff ff e8 ?? ?? ?? ?? 49 ff c6 }
$a12 = { 0F 57 C0 0F 29 45 B0 48 C7 45 ?? 00 00 00 00 41 BD ?? 00 00 00 41 B6 ?? 31 DB BF ?? 00 00 00 31 C0 41 BF ?? 00 00 00 EB ??45 85 FF 41 8D ?? ?? 41 0F 4E CD 44 0F B6 ?? ?? ?? ?? FF FF 48 8B 45 ?? 48 8B ?? ?? 48 FF C7 41 89 CF 90 90 49 63 CF 46 32 ?? ?? }
$a13 = { 48 63 c3 48 ?? ?? ?? ?? ?? ?? 8a 04 08 42 32 44 2d b0 88 85 70 ff ff ff [2-6] f? 4c 89 e6 e8 ?? ?? ?? ?? 85 db 8d 43 ff 89 c3 ?? [0-4] 0f 4e d? 4c 89 ff 89 de e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 49 ff c5 }
$a14 = { 85 db 41 0f 4e dc 42 8a 4c 2d b0 49 ff c5 }
$a15 = { 49 63 c7 48 ?? ?? ?? ?? ?? ?? 8a 04 08 32 44 1d b0 88 85 70 ff ff ff 4c 89 f7 4c 89 ee e8 ?? ?? ?? ?? 45 85 ff 41 8d 47 ff 41 0f 4e c4 48 ff c3 41 89 c7 }
$b1 = { 57 65 62 56 69 65 77 }
$b2 = { 4a 53 45 78 70 6f 72 74 }
condition:
Macho and filesize < 15MB and (any of ($a*)) and (any of ($b*))
}
rule XProtect_MACOS_22d71e9
{
meta:
description = "MACOS.22d71e9"
strings:
$a1 = { (48 | 49) 63 ?? 41 32 ?? ?? (88 8D ?? ?? ?? ?? 48 | 48) ?? ?? 74 ?? 88 ?? 48 ?? ?? ?? eb ?? }
$a2 = { 48 8b [2-5] 48 89 ?? 48 f7 d? 48 01 c? 44 88 ?? ?? 48 8b [2-5] 48 89 c? 48 f7 d? 48 03 [2-5] ( 44 88 | 88 0c ) [1-2] 4? 83 f? ?? }
$a3 = { b1 ?? 41 be 01 00 00 00 4c 8d bd 7f ff ff ff 44 89 eb eb ?? }
$a4 = { 41 ff c? 90 49 63 c? 48 ?? ?? ?? ?? ?? ?? ( 44 32 34 0a 48 39 d8 74 ?? | 32 0c 02 88 8d 7f ff ff ff 48 8b 45 88 48 3b 45 90 74 ?? ) }
$a5 = { 90 0f 57 c0 4c 8d 65 80 41 0f 29 04 24 49 c7 44 24 }
$a6 = { ff cb 90 48 63 c3 48 ?? ?? ?? ?? ?? ?? 32 0c 02 48 8b 85 78 ff ff ff 48 3b 45 80 74 ?? }
$a7 = { 45 85 ?? 41 8d 4? ff b? ?? ?? ?? ?? 0f 4e c? 4? 8a ?? ?? b0 4? ff c? 4? 89 c6 }
$a8 = { 44 8a 74 05 b0 48 ff c0 48 89 85 ( a0 fa | 38 f4 ) ff ff }
$a9 = { 46 8a ?4 ?? b0 49 63 c5 48 ?? ?? ?? ?? ?? ?? 8a 04 08 88 85 ?8 f5 ff ff 4? 89 ?d ?8 fa ff ff 4? 89 ?d ?0 fa ff ff 48 83 a5 ?8 fa ff ff 00 4? 89 ?f 6a ?? 5e e8 ?? ?? ?? ?? 44 32 ?? ?8 f5 ff ff 44 88 ?5 ?0 f5 ff ff 48 8d bd ?? fa ff ff 48 8d b5 ?0 f5 ff ff e8 ?? ?? ?? ?? 4? 8? ?? 4? 8d ?5 }
$a10 = { 90 44 89 ff e8 ?? ?? ?? ?? 44 89 ff e8 ?? ?? ?? ?? 44 89 ff e8 ?? ?? ?? ?? 48 89 df 48 8d b5 08 f6 ff ff e8 ?? ?? ?? ?? 48 8b 85 b0 fa ff ff 0f b6 78 10 e8 ?? ?? ?? ?? 90 48 89 df e8 ?? ?? ?? ?? 49 ff c? }
$a11 = { 83 c2 fc 85 d2 6a ?? 58 0f 4e d0 4c 89 ef 48 89 de 6a ff 59 e8 ?? ?? ?? ?? 48 89 df e8 ?? ?? ?? ?? 4c 89 ef e8 ?? ?? ?? ?? 48 8d bd 78 fa ff ff 48 8d b5 98 f5 ff ff e8 ?? ?? ?? ?? 48 8d bd 78 fa ff ff e8 ?? ?? ?? ?? 49 ff c6 }
$a12 = { 0F 57 C0 0F 29 45 B0 48 C7 45 ?? 00 00 00 00 41 BD ?? 00 00 00 41 B6 ?? 31 DB BF ?? 00 00 00 31 C0 41 BF ?? 00 00 00 EB ??45 85 FF 41 8D ?? ?? 41 0F 4E CD 44 0F B6 ?? ?? ?? ?? FF FF 48 8B 45 ?? 48 8B ?? ?? 48 FF C7 41 89 CF 90 90 49 63 CF 46 32 ?? ?? }
$a13 = { 48 63 c3 48 ?? ?? ?? ?? ?? ?? 8a 04 08 42 32 44 2d b0 88 85 70 ff ff ff [2-6] f? 4c 89 e6 e8 ?? ?? ?? ?? 85 db 8d 43 ff 89 c3 ?? [0-4] 0f 4e d? 4c 89 ff 89 de e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 49 ff c5 }
$a14 = { 85 db 41 0f 4e dc 42 8a 4c 2d b0 49 ff c5 }
$a15 = { 49 63 c7 48 ?? ?? ?? ?? ?? ?? 8a 04 08 32 44 1d b0 88 85 70 ff ff ff 4c 89 f7 4c 89 ee e8 ?? ?? ?? ?? 45 85 ff 41 8d 47 ff 41 0f 4e c4 48 ff c3 41 89 c7 }
$b1 = { 57 65 62 56 69 65 77 }
$b2 = { 4a 53 45 78 70 6f 72 74 }
condition:
Macho and filesize < 15MB and (any of ($a*)) and (not any of ($b*))
}
rule XProtect_MACOS_6175e25
{
meta:
description = "MACOS.6175e25"
strings:
$a1 = { 00 25 40 25 40 25 40 25 40 00 25 63 00 }
$a2 = { 64 65 6c 65 74 65 41 70 70 42 79 53 65 6c 66 }
$a3 = { 65 6e 63 72 79 70 74 44 65 63 72 79 70 74 4f 70 65 72 61 74 69 6f 6e }
$a4 = { 45 6e 63 6f 64 65 44 65 63 6f 64 65 4f 70 73 }
$a5 = { 63 72 65 61 74 46 69 6c 65 4f 6e 54 65 6d 70 3a 73 63 72 70 4e 61 6d 65 3a }
condition:
Macho and all of ($a*) and filesize < 200KB
}
rule XProtect_MACOS_d1e06b8
{
meta:
description = "MACOS.d1e06b8"
strings:
$a1 = { 2f 00 2f 00 2a 00 45 00 72 00 72 00 6f 00 72 00 43 00 6f 00 64 00 65 00 2a 00 5c 00 5c 00 }
$a2 = { 28 00 3c 00 5e 00 5e 00 5e 00 5e 00 3e 00 29 00 }
$a3 = { 74 72 61 63 6b 69 6e 67 58 4d 4c }
$a4 = { 41 00 6c 00 6c 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 65 00 64 00 41 00 70 00 70 00 73 00 }
$a5 = { 6f 66 66 65 72 5f 70 61 72 61 6d 65 74 65 72 }
$a6 = { 6f 00 66 00 66 00 65 00 72 00 5f 00 69 00 64 00 }
condition:
PE and all of ($a*) and filesize < 200KB
}
rule XProtect_OSX_28a9883
{
meta:
description = "OSX.28a9883"
strings:
$a1 = { 3A 6C 61 62 65 6C 3A 70 6C 69 73 74 50 61 74 68 3A }
$a2 = { 3A 62 69 6E 3A 70 6C 69 73 74 3A }
$a3 = { 21 40 23 24 7E 5E 26 2A 28 29 5B 5D 7B 7D 3A 3B 3C 3E 2C 2E 31 71 32 77 33 65 34 72 35 74 36 79 37 75 38 69 39 6F 30 70 41 5A 53 58 44 43 46 56 47 42 48 4E 4A 4D 4B 4C 51 57 45 52 54 59 55 49 }
condition:
Macho and all of ($a*)
}
rule XProtect_OSX_Bundlore_D
{
meta:
description = "OSX.Bundlore.D"
strings:
$a1 = { 20 00 65 00 63 00 68 00 6F 00 20 00 }
$a2 = { 20 00 7C 00 20 00 6F 00 70 00 65 00 6E 00 73 00 73 00 6C 00 20 00 65 00 6E 00 63 00 20 00 2D 00 61 00 65 00 73 00 2D 00 32 00 35 00 36 00 2D 00 63 00 66 00 62 00 20 00 2D 00 70 00 61 00 73 00 73 00 20 00 70 00 61 00 73 00 73 00 3A }
$a3 = { 00 2D 00 73 00 61 00 6C 00 74 00 20 00 2D 00 41 00 20 00 2D 00 61 00 20 00 2D 00 64 00 20 00 7C 00 20 00 62 00 61 00 73 00 68 00 20 00 2D 00 73 }
$b1 = { 46 61 73 64 55 41 53 }
condition:
$b1 at 0 and all of ($a*) and filesize <= 3000
}
rule XProtect_OSX_Particle_Smasher_A
{
meta:
description = "OSX.ParticleSmasher.A"
strings:
$a1 = { 63 6F 75 6C 64 6E 27 74 20 6F 70 65 6E 20 74 68 65 20 64 62 00 }
$a2 = { 25 40 2F 4F 50 45 52 41 2E 7A 69 70 00 }
$a3 = { 25 40 2F 43 48 52 4F 4D 45 5F 25 40 2E 7A 69 70 00 }
$a4 = { 25 40 2F 53 41 46 41 52 49 2E 7A 69 70 00 }
$a5 = { 25 40 2F 46 49 52 45 46 4F 58 5F 25 40 2E 7A 69 70 00 }
$a6 = { 63 70 20 25 40 2F 70 6C 61 63 65 73 2E 73 71 6C 69 74 65 20 25 40 2F 70 6C 61 63 65 73 2E 73 71 6C 69 74 65 2E 64 75 6D 70 00 }
$a7 = { 63 70 20 25 40 2F 48 69 73 74 6F 72 79 20 25 40 2F 48 69 73 74 6F 72 79 2E 64 75 6D 70 00 }
condition:
Macho and filesize < 450000 and all of ($a*)
}
rule XProtect_OSX_HiddenLotus_A
{
meta:
description = "OSX.HiddenLotus.A"
strings:
$a1 = { 00 2F 00 25 6C 64 00 00 00 00 00 00 00 00 00 00 00 }
$a2 = { 00 72 62 00 00 20 26 00 00 00 00 00 00 00 }
$a3 = { 00 25 64 00 20 32 3E 26 31 00 72 00 0D 0A 00 00 }
$a4 = { 00 25 30 32 78 00 00 00 00 00 00 00 }
$a5 = { 00 3D 00 3B 00 00 00 }
condition:
Macho and all of ($a*) and filesize < 180000
}
rule XProtect_OSX_Mughthesec_B
{
meta:
description = "OSX.Mughthesec.B"
strings:
$a1 = { 42 75 6E 64 6C 65 4D 65 55 70 }
$a2 = { 50 75 62 6C 69 73 68 65 72 4F 66 66 65 72 53 74 61 74 65 }
$a3 = { 49 6E 73 74 61 6C 6C 50 72 6F 67 72 65 73 73 53 74 61 74 65 }
$a4 = { 41 64 76 65 72 74 69 73 65 72 4F 66 66 65 72 53 74 61 74 65 }
$b1 = { 42 65 72 54 61 67 67 65 64 44 61 74 61 }
$b2 = { 42 45 52 50 72 69 6E 74 56 69 73 69 74 6F 72 }
condition:
Macho and filesize < 3000000 and all of them
}
rule XProtect_OSX_HMining_D
{
meta:
description = "OSX.HMining.D"
strings:
$a1 = { 72 ?? 75 ?? 6E ?? 41 ?? 6C ?? 6C ?? 41 ?? 70 ?? 70 }
$a2 = { 66 ?? 69 ?? 72 ?? 65 ?? 46 ?? 6F ?? 78 ?? 53 ?? 65 ?? 74 ?? 4E ?? 74 ?? 53 ?? 70 }
$a3 = { 53 ?? 61 ?? 66 ?? 61 ?? 72 ?? 69 ?? 2E ?? 61 ?? 70 ?? 70 }
$a4 = { 63 ?? 6F ?? 6D ?? 2E ?? 61 ?? 70 ?? 70 ?? 6C ?? 65 ?? 2E ?? 53 ?? 61 ?? 66 ?? 61 ?? 72 ?? 69 }
$a5 = { 63 ?? 6F ?? 6D ?? 2E ?? 61 ?? 70 ?? 70 ?? 6C ?? 65 ?? 2E ?? 71 ?? 75 ?? 61 ?? 72 ?? 61 ?? 6E ?? 74 ?? 69 ?? 6E ?? 65 }
condition:
Macho and filesize <= 2000000 and all of ($a*)
}
rule XProtect_Bundlore_B
{
meta:
description = "OSX.Bundlore.B"
strings:
$a1 = { 46 61 73 64 55 41 53 }
$b1 = { 69 00 66 00 20 00 5B 00 5B 00 20 00 22 00 24 00 7B 00 6F 00 73 00 76 00 65 00 72 00 7D 00 22 00 20 00 3D 00 3D 00 20 00 2A 00 22 00 31 00 30 00 2E 00 31 00 32 00 22 00 2A 00 20 00 5D 00 5D 00 3B 00 20 00 74 00 68 00 65 00 6E 00 20 00 76 00 65 00 72 00 46 00 6F 00 6C 00 64 00 65 00 72 00 3D 00 22 00 53 00 69 00 65 00 72 00 72 00 61 00 2F 00 22 00 3B 00 20 00 66 00 69 00 3B 00 0A 00 20 00 20 00 20 00 20 00 63 00 75 00 72 00 6C 00 20 00 2D 00 73 00 4C 00 20 00 2D 00 6F 00 20 00 22 00 24 00 7B 00 54 00 4D 00 50 00 44 00 49 00 52 00 7D 00 }
$b2 = { 20 00 20 00 20 00 20 00 63 00 68 00 6D 00 6F 00 64 00 20 00 2B 00 78 00 20 00 22 00 24 00 7B 00 54 00 4D 00 50 00 44 00 49 00 52 00 7D 00 2F 00 }
$b3 = { 20 00 72 00 6D 00 20 00 2D 00 72 00 66 00 20 00 22 00 24 00 7B 00 54 00 4D 00 50 00 44 00 49 00 52 00 7D 00 2F 00 6D 00 6D 00 5F 00 73 00 74 00 75 00 62 00 22 00 }
condition:
$a1 at 0 and all of ($b*) and filesize <= 3000
}
rule XProtect_OSX_AceInstaller_B
{
meta:
description = "OSX.AceInstaller.B"
strings:
$a1 = { 41 63 65 49 6E 73 74 61 6C 6C 65 72 }
$a2 = { 73 65 74 4F 66 66 65 72 73 4C 61 62 65 6C }
$b1 = { 2F 74 6D 70 2F 70 73 63 72 2E 73 68 }
$b2 = { 2F 74 6D 70 2F 4F 66 66 65 72 25 6C 64 2E 73 68 }
$b3 = { 2F 74 6D 70 2F 6D 73 63 72 2E 73 68 }
condition:
Macho and filesize < 250000 and
$a1 or $a2 and
all of ($b*)
}
rule XProtect_AdLoad_B_2 : dropper
{
meta:
description = "OSX.AdLoad.B.2"
strings:
$a1 = {48 8B ?? ?? ?? ?? ?? 48 8D 5D B8 48 89 03 C7 43 08 00 00 00 C2 C7 43 0C 00 00 00 00 48 8D ?? ?? ?? ?? ?? 48 89 43 10 48 8D ?? ?? ?? ?? ?? 48 89 43 18 4C 89 F7 ?? ?? ?? ?? ?? ?? 48 89 43 20 4C 89 FF 48 89 DE ?? ?? ?? ?? ?? 4C 89 FF ?? ?? ?? 48 8B 7B 20 ?? ?? ??
48 83 C4 30}
$b1 = {67 65 74 53 61 66 61 72 69 56 65 72 73 69 6F 6E}
condition:
Macho and filesize < 300000 and $a1 and $b1
}
rule XProtect_AdLoad_B_1
{
meta:
description = "OSX.AdLoad.B.1"
strings:
$a1 = {73 65 74 49 6E 73 74 61 6C 6C 46 69 6E 69 73 68 65 64 54 65 78 74}
$a2 = {73 65 74 46 69 6E 69 73 68 54 69 63 6B 49 6D 61 67 65 56 69 65 77}
$a3 = {4F 66 66 65 72 43 6F 6E 74 72 6F 6C 6C 65 72}
$a4 = {26 4F 46 46 45 52 5F 49 44 3D 25 40}
condition:
Macho and filesize < 400000 and (all of ($a*))
}
rule XProtect_AdLoad_A
{
meta:
description = "OSX.AdLoad.A"
strings:
$a1 = {73 65 74 4F 66 66 65 72 55 72 6C}
$a2 = {73 65 74 4F 66 66 65 72 50 61 74 68}
$a3 = {73 65 74 4F 66 66 65 72 4E 61 6D 65}
$a4 = {2F 74 6D 70 2F 50 72 6F 64 75 63 74 2E 64 6D 67}
condition:
Macho and filesize < 40000 and (all of ($a*))
}
rule XProtect_OSX_Mughthesec_A
{
meta:
description = "OSX.Mughthesec.A"
strings:
$a1 = { 54 52 4D 43 5F 49 6E 73 74 61 6C 6C 5F 53 74 61 72 74 5F 31 }
$a2 = { 66 61 6C 6C 62 61 63 6B 44 6D 67 4E 61 6D 65 }
$a3 = { 66 61 6C 6C 62 61 63 6B 49 6E 73 74 61 6C 6C 65 72 4E 61 6D 65 }
$a4 = { 6F 66 66 65 72 53 63 72 65 65 6E 55 72 6C }
$b1 = { 42 65 72 54 61 67 67 65 64 44 61 74 61 }
$b2 = { 42 45 52 50 72 69 6E 74 56 69 73 69 74 6F 72 }
condition:
Macho and filesize < 3000000 and all of them
}
rule XProtect_OSX_Leverage_A
{
meta:
description = "OSX.Leverage.A"
strings:
$a1 = { FF 65 63 68 6F 20 27 3C 3F 78 6D 6C 20 }
$a2 = { 72 62 66 72 61 6D 65 77 6F 72 6B 2E 64 79 6C 69 62 }
$a3 = { 3? 6C 61 75 6E 63 68 63 74 6C 20 6C 6F 61 64 20 7E 2F 4C 69 62 72 61 72 79 2F 4C 61 75 6E 63 68 41 67 65 6E 74 73 }
$a4 = { 6D 6B 64 69 72 20 7E 2F 4C 69 62 72 61 72 79 2F 4C 61 75 6E 63 68 41 67 65 6E 74 73 }
$b1 = { 6D 57 61 69 74 46 6F 72 54 68 69 73 43 6F 6D 6D 61 6E 64 }
$b2 = { 6D 57 61 69 74 69 6E 67 46 6F 72 41 43 6F 6D 6D 61 6E 64 }
condition:
Macho and filesize < 3000000 and all of them
}
rule XProtect_OSX_ATG15_B
{
meta:
description = "OSX.ATG15.B"
xprotect_rule = true
strings:
$a1 = { 80 7C 39 3C 32 BA BB 80 F3 B9 B4 34 B8 34 39 80 }
$a2 = { FC BF 34 BA 7C BA 34 36 B9 BC BA 3C 80 7C 39 3C }
$a3 = { 32 BA BB 76 BA 34 3C B9 BF B7 8F 30 B3 B9 3C 32 }
$b1 = { 9C 85 89 27 8B 9C 85 89 27 8B 9C 85 89 27 8B 9C }
condition:
Macho and filesize < 200KB and all of them
}
rule XProtect_OSX_Genieo_G
{
meta:
description = "OSX.Genieo.G"
strings:
$a1 = {67 65 74 53 61 66 61 72 69 48 69 73 74 6F 72 79}
$a2 = {73 65 6c 65 63 74 20 63 6f 75 6e 74 28 2a 29 20 66 72 6f 6d 20 6d 6f 7a 5f 68 69 73 74 6f 72 79 76 69 73 69 74 73}
$a3 = {53 46 45 58 54 46 69 6c 65 4d 61 6e 61 67 65 72}
condition:
Macho and filesize < 2000000 and (all of ($a*))
}
rule XProtect_Genieo_G_1
{
meta:
description = "OSX.Genieo.G.1"
strings:
$b1 = {69 6e 73 74 61 6c 6c 5f 75 72 6c 5f 73 75 66 66 69 78}
$b2 = {76 65 72 5f 64 61}
$b3 = {6f 66 66 65 72 5f 69 64}
condition:
Macho and filesize < 2000000 and all of them
}
rule XProtect_OSX_Proton_B
{
meta:
description = "OSX.Proton.B"
condition:
Macho and filesize < 800000 and hash.sha1(0, filesize) == "a8ea82ee767091098b0e275a80d25d3bc79e0cea"
}
rule XProtect_OSX_Dok_B
{
meta:
description = "OSX.Dok.B"
strings:
$a1 = {53 65 6C 66 49 6E 73 74 61 6C 6C}
$a2 = {49 73 4C 6F 67 69 6E 53 63 72 69 70 74 45 78 69 73 74 73}
$a3 = {41 64 64 4C 6F 67 69 6E 53 63 72 69 70 74}
$b1 = {49 79 45 76 64 58 4E 79 4C 32 4A 70 62 69 39 6C 62 6E 59 67 63 48 6C 30 61 47 39 75 43 69 4D 67 4C 53 6F 74 49 47 4E 76 5A 47 6C 75 5A 7A 6F 67 64 58 52 6D 4C 54 67 67 4C 53 6F 74 43 6D 6C 74 63}
condition:
Macho and filesize < 600000 and filesize > 10000 and all of them
}
rule XProtect_OSX_Dok_A
{
meta:
description = "OSX.Dok.A"
strings:
$a1 = {55 70 64 61 74 65 73}
$a2 = {49 6E 73 74 61 6C 6C 54 6F 72}
$b1 = {49 6E 73 74 61 6C 6C 43 65 72 74}
$b2 = {62 61 73 65 36 34 20 2D 69 20 25 40}
condition:
Macho and filesize < 100000 and all of them
}
rule OSX_Bundlore_A
{
meta:
description = "OSX.Bundlore.A"
strings:
$a1 = { 4F 66 66 65 72 73 49 6E 73 74 61 6C 6C 53 63 72 69 70 74 55 72 6C }
$a2 = { 53 6F 66 74 77 61 72 65 49 6E 73 74 61 6C 6C 53 63 72 69 70 74 55 72 6C }
$a3 = { 63 6F 6D 2E 67 6F 6F 67 6C 65 2E 43 68 72 6F 6D 65 }
$a4 = { 2E 74 6D 70 6D 61 }
$a5 = { 50 6C 65 61 73 65 20 77 61 69 74 20 77 68 69 6C 65 20 79 6F 75 72 20 73 6F 66 74 77 61 72 65 20 69 73 20 62 65 69 6E 67 20 69 6E 73 74 61 6C 6C 65 64 2E 2E 2E }
condition:
filesize < 500000 and Macho and 4 of ($a*)
}
rule OSX_Findzip_A {
meta:
description = "OSX.Findzip.A"
strings:
$a = {54 6b 39 55 49 46 6c 50 56 56 49 67 54 45 46 4f 52 31 56 42 52 30 55 2f 49 46 56 54 52 53 42 6f 64 48 52 77 63 7a 6f 76 4c 33 52 79 59 57 35 7a 62 47 46 30 5a 53 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 44 51 6f 4e 43 6c 64 6f 59 58 51 67 61 47 46 77 63 47 56 75 5a 57 51 67 64 47 38 67 65 57 39 31 63 69 42 6d 61 57 78 6c 63 79 41 2f 44 51 70}
$b1 = {2f 75 73 72 2f 62 69 6e 2f 66 69 6e 64}
$b2 = {7b 7d 2e 63 72 79 70 74}
$b3 = {52 45 45 41 44 4d 45 21 2e 74 78 74}
$b4 = {2f 75 73 72 2f 62 69 6e 2f 64 69 73 6b 75 74 69 6c}
condition:
filesize < 100000 and Macho and ($a or (all of ($b*)))
}
rule OSX_Proton_A
{
meta:
description = "OSX.Proton.A"
strings:
$a1 = {4E 65 74 77 6F 72 6B 20 43 6F 6E 66 69 67 75 72 61 74 69 6F 6E 20 6E 65 65 64 73 20 74 6F 20 75 70 64 61 74 65 20 44 48 43 50 20 73 65 74 74 69 6E 67 73 2E 20 54 79 70 65 20 79 6F 75 72 20 70 61 73 73 77 6F 72 64 20 74 6F 20 61 6C 6C 6F 77 20 74 68 69 73 2E}
$a2 = {49 6E 73 74 61 6C 6C 65 72 20 77 61 6E 74 73 20 74 6F 20 6D 61 6B 65 20 63 68 61 6E 67 65 73 2E 20 54 79 70 65 20 79 6F 75 72 20 70 61 73 73 77 6F 72 64 20 74 6F 20 61 6C 6C 6F 77 20 74 68 69 73}
$b1 = {66 69 6C 65 5F 75 70 6C 6F 61 64}
$b2 = {73 73 68 5F 74 75 6E 6E 65 6C}
$b3 = {64 6F 77 6E 6C 6F 61 64 5F 66 69 6C 65}
$b4 = {65 78 65 63 5F 70 75 73 68}
$b5 = {66 76 5F 61 63 74 69 6F 6E}
condition:
Macho and filesize < 200000 and all of ($b*) and any of ($a*)
}
rule OSX_XAgent_A
{
meta:
description = "OSX.XAgent.A"
strings:
$a = {49 0F BE 14 07 41 8D 45 FD 49 0F BE 34 07 41 8D 7D FF 41 8D 45 FE 49 0F BE 1C 07 48 83 FB 3D B8 00 00 00 00 B9 01 00 00 00 74 0A 42 0F B6 04 33 B9 02 00 00 00 42 8A 1C 32 42 0F B6 34 36 89 FA 49 0F BE 3C 17 45 31 C0 48 83 FF 3D 74 0E 46 0F B6 04 37 41 83 E0 3F B9 03 00 00 00 C0 E3 02 40 88 F2 C0 EA 04 80 E2 03 08 DA 88 55 D5 C1 E6 04 89 C2 C1 EA 02 83 E2 0F 09 F2 88 55 D6 C1 E0 06 44 09 C0 88 45 D7 4C 89 E7}
$s1 = {53 45 4C 45 43 54 20 68 6F 73 74 6E 61 6D 65 2C 20 65 6E 63 72 79 70 74 65 64 55 73 65 72 6E 61 6D 65 2C 20 65 6E 63 72 79 70 74 65 64 50 61 73 73 77 6F 72 64}
$s2 = {72 6D 20 2D 72 66 20 25 40 2F 4C 69 62 72 61 72 79 2F 41 73 73 69 73 74 61 6E 74 73 2F 2E 6C 6F 63 61 6C 2F}
condition:
Macho and filesize < 400000 and ((all of ($s*)) and $a)
}
rule OSX_iKitten_A
{
meta:
description = "OSX.iKitten.A"
strings:
$a = {48 83 F8 00 48 89 85 C0 FE FF FF 0F 84 FC 01 00 00 31 C0 89 C1 48 8D 95 F0 FE FF FF 48 83 C2 10 48 8B B5 00 FF FF FF 48 8B 36 48 8B BD C0 FE FF FF 48 89 B5 B8 FE FF FF 48 89 95 B0 FE FF FF 48 89 8D A8 FE FF FF 48 89 BD A0 FE FF FF 48 8B 85 A0 FE FF FF 48 8B 8D A8 FE FF FF 48 8B 95 B0 FE FF FF 48 8B 32 48 8B BD B8 FE FF FF 48 39 3E 48 89 85 98 FE FF FF 48 89 8D 90 FE FF FF 0F 84 0F 00 00 00 48 8B 85 C8 FE FF FF 48 89 C7}
$b = {48 89 45 E0 48 8B 3D 80 38 03 00 48 8B 35 E9 33 03 00 41 B8 04 00 00 00 44 89 C1 45 31 C0 44 89 C2 48 89 55 C0 48 89 C2 48 89 4D B8 4C 8B 45 C0 48 8B 45 C8 ?? ?? 48 89 C7 ?? ?? ?? ?? ?? 48 89 45 D8 48 8B 35 4A 34 03 00 48 8D 15 13 18 03 00 48 8D 0D 6C 17 03 00 48 89 C7 48 8B 45 C8 ?? ?? 48 89 C7}
$s1 = {69 66 20 63 61 74 20 2F 65 74 63 2F 72 63 2E 63 6F 6D 6D 6F 6E 20 7C 20 67 72 65 70 20 25 40 3B}
$s2 = {7A 69 70 20 2D 72 20 2D 6A 20 25 40 20 25 40}
condition:
Macho and filesize < 400000 and $a and $b and (all of ($s*))
}
rule OSX_HMining_C
{
meta:
description = "OSX.HMining.C"
strings:
$a1 = {55 48 89 E5 41 57 41 56 53 50 4C 8B 7F 48 4C 8B 77 50 48 8B 5F 58 48 89 DF ?? ?? ?? ?? ?? 4C 89 FF 4C 89 F6 48 89 DA ?? ?? ?? ?? ?? 48 89 C7 48 83 C4 08 5B 41 5E 41 5F 5D}
$a2 = {55 48 89 E5 41 57 41 56 41 54 53 41 89 CE 48 89 D3 48 89 DF ?? ?? ?? ?? ?? 48 89 DF ?? ?? ?? ?? ?? 48 89 CB 48 89 C7 48 89 D6 48 89 DA 44 89 F1 ?? ?? ?? ?? ?? 49 89 C6 49 89 D7 49 89 CC 48 89 DF ?? ?? ?? ?? ?? 4C 89 F7 4C 89 FE 4C 89 E2 ?? ?? ?? ?? ?? 48 89 C7 5B 41 5C 41 5E 41 5F 5D}
condition:
Macho and filesize <= 600000 and
all of ($a*)
}
rule HMiningB
{
meta:
description = "OSX.HMining.B"
strings:
$a1 = {48 89 C7 41 FF D6 48 89 85 E8 FE FF FF 0F 57 C0 0F 29 85 40 FF FF FF 0F 29 85 30 FF FF FF 0F 29 85 20 FF FF FF 0F 29 85 10 FF FF FF ?? ?? ?? ?? ?? ?? ?? 48 8D 95 10 FF FF FF 48 8D 8D 50 FF FF FF 41 B8 10 00 00 00 48 89 C7 41 FF D6 48 89 85 08 FF FF FF 48 85 C0 B8 00 00 00 00 48 89 85 D8 FE FF FF 0F 84 44 01 00 00 48 8B 85 20 FF FF FF 48 8B 00 48 89 85 F8 FE FF FF}
$a2 = {48 89 DF ?? ?? ?? 49 89 C4 4C 89 65 B8 ?? ?? ?? ?? ?? ?? ?? BA 04 00 00 00 4C 89 F7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 89 C7 ?? ?? ?? 48 89 45 C8 ?? ?? ?? ?? ?? ?? ?? 48 89 DF 41 FF D7 4C 89 F9 48 85 C0 74 59 ?? ?? ?? ?? ?? ?? ?? 45 31 FF 45 31 F6 4C 8B 6D C8 41 8A 45 00 43 30 04 3C 49 FF C5 41 FF C6 4D 63 F6 48 8B 7D C0 48 89 DE 49 89 CC 41 FF D4 49 39 C6 4C 0F 44 6D C8 B8 00 00 00 00 44 0F 44 F0 49 FF C7 48 8B 7D D0 48 89 DE 41 FF D4 4C 89 E1 4C 8B 65 B8 49 39 C7 72 B8 48 8B 45 D0 48 83 C4 28 5B 41 5C 41 5D 41 5E 41 5F 5D C3 }
condition:
Macho and filesize <= 500000 and all of ($a*)
}
rule NetwireA
{
meta:
description = "OSX.Netwire.A"
strings:
$a = { 03 04 15 1A 0D 0A 65 78 69 74 0D 0A 0D 0A 65 78 69 74 0A 0A 00 }
$b = { 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 33 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 65 63 6B 6F 0D 0A 41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 74 6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 6D 6C 3B 71 3D 30 2E 39 2C 69 6D 61 67 65 2F 77 65 62 70 2C 2A 2F 2A 3B 71 3D 30 2E 38 }
condition:
all of them
}
rule BundloreB
{
meta:
description = "OSX.Bundlore.B"
strings:
$a = {5F 5F 4D 41 5F 41 70 70 44 65 6C 65 67 61 74 65}
$b = {5F 5F 4D 41 5F 44 65 74 65 63 74 65 64 50 72 6F 64 75 63 74 73 48 61 6E 64 6C 65 72}
$c = {5F 5F 4D 41 5F 44 6D 67 53 6F 75 72 63 65 52 65 61 64 65 72}
condition:
2 of ($a,$b,$c)
}
rule EleanorA
{
meta:
description = "OSX.Eleanor.A"
condition:
filesize <= 3500 and uint8(0) == 0x23 and
(
hash.sha1(0, filesize) == "de642751e96b8c53744f031a6f7e929d53226321" or
hash.sha1(0, filesize) == "1f782e84ddbf5fd76426f6f9bf3d4238d2ec9a4b"
)
}
rule HMining_Binary_A
{
meta:
description = "OSX.HMining.A"
strings:
$a = {68 69 64 65 4F 70 65 72 61 74 6F 72 57 69 64 6F 77 41 66 74 65 72 41 64 6D 69 6E}
$b = {48 8B 85 98 FE FF FF 48 89 44 24 38 48 8B 85 90 FE FF FF 48 89 44 24 30 48 8B 85 80 FE FF FF 48 8B 8D 88 FE FF FF 48 89 4C 24 28 48 89 44 24 20 48 8B 85 00 FF FF FF 48 89 44 24 18 48 8B 85 F8 FE FF FF 48 89 44 24 10 48 8B 85 E8 FE FF FF 48 8B 8D F0 FE FF FF 48 89 4C 24 08 48 89 04 24}
$c = {61 6C 6C 43 6F 6D 70 65 74 69 74 6F 72 73 41 67 65 6E 74 44 65 6D 6F 6E 64}
$d = {63 72 65 61 74 65 41 6E 64 4C 6F 61 64 41 67 65 6E 74 50 6C 69 73 74 50 61 74 68 3A 61 67 65 6E 74 50 6C 69 73 74 4E 61 6D 65 3A 61 67 65 6E 74 50 6C 69 73 74 4B 65 79 41 72 72 3A 61 67 65 6E 74 50 6C 69 73 74 56 61 6C 41 72 72 3A 69 73 41 64 6D 69 6E 3A}
condition:
Macho and (($a and $b) or ($c and $d))
}
rule TroviProxyApp
{
meta:
description = "OSX.Trovi.A"
strings:
$a = {72 65 63 65 69 76 69 6E 67 57 65 62 73 69 74 65 53 74 61 72 74 65 64}
$b = {68 74 6D 6C 49 6E 6A 65 63 74 65 64}
condition:
Macho and ($a and $b)
}
rule HMining
{
meta:
description = "OSX.Hmining.A"
strings:
$a = {68 69 64 65 4F 70 65 72 61 74 6F 72 57 69 64 6F 77 41 66 74 65 72 41 64 6D 69 6E}
$b = {48 8B 85 98 FE FF FF 48 89 44 24 38 48 8B 85 90 FE FF FF 48 89 44 24 30 48 8B 85 80 FE FF FF 48 8B 8D 88 FE FF FF 48 89 4C 24 28 48 89 44 24 20 48 8B 85 00 FF FF FF 48 89 44 24 18 48 8B 85 F8 FE FF FF 48 89 44 24 10 48 8B 85 E8 FE FF FF 48 8B 8D F0 FE FF FF 48 89 4C 24 08 48 89 04 24}
condition:
Macho and ($a and $b)
}
rule BundloreA
{
meta:
description = "OSX.Bundlore.A"
strings:
$a = {5F 5F 6D 6D 5F 67 65 74 49 6E 6A 65 63 74 65 64 50 61 72 61 6D 73}
$b = {5F 5F 6D 6D 5F 72 75 6E 53 68 65 6C 6C 53 63 72 69 70 74 41 73 52 6F 6F 74}
condition:
Macho and ($a and $b)
}
rule GenieoE
{
meta:
description = "OSX.Genieo.E"
strings:
$a = {47 4E 53 69 6E 67 6C 65 74 6F 6E 47 6C 6F 62 61 6C 43 61 6C 63 75 6C 61 74 6F 72}
$b = {47 4E 46 61 6C 6C 62 61 63 6B 52 65 70 6F 72 74 48 61 6E 64 6C 65 72}
condition:
Macho and ($a and $b)
}
rule OSX_ExtensionsInstaller_A
{
meta:
description = "OSX.ExtensionsInstaller.A"
strings:
$a1 = {72 65 6D 6F 76 65 58 61 74 74 72 54 6F}
$a2 = {67 65 74 43 72 79 70 74 65 64 44 61 74 61 46 72 6F 6D 55 72 6C}
$a3 = {67 65 74 42 65 73 74 4F 66 66 65 72 43 6F 6E 66 69 67 3A 61 63 63 65 70 74 65 64 4F 66 66 65 72 73}
$b1 = {53 61 66 61 72 69 45 78 74 65 6E 73 69 6F 6E 49 6E 73 74 61 6C 6C 65 72}
$b2 = {54 61 72 43 6F 6D 70 72 65 73 73 6F 72}
condition:
Macho and filesize < 2500000 and all of them
}
rule InstallCoreA
{
meta:
description = "OSX.InstallCore.A"
strings:
$a = {C6 45 A0 65 C6 45 A1 52 C6 45 A2 4A C6 45 A3 50 C6 45 A4 5B C6 45 A5 57 C6 45 A6 72 C6 45 A7 48 C6 45 A8 53 C6 45 A9 5D C6 45 AA 25 C6 45 AB 33 C6 45 AC 42 C6 45 A0 53 B8 01 00 00 00}
$b = {49 89 DF 48 89 C3 FF D3 4C 89 EF FF D3 48 8B 7D B0 FF D3 48 8B 7D B8 FF D3 4C 89 FF FF D3 4C 8B 6D C0 48 8B 7D A8}
$c = {49 43 4A 61 76 61 53 63 72 69 70 74 45 6E 76 69 72 6F 6E 6D 65 6E 74 49 6E 66 6F}
condition:
Macho and ($a or $b or $c)
}
rule KeRangerA
{
meta:
description = "OSX.KeRanger.A"
strings:
$a = {48 8D BD D0 EF FF FF BE 00 00 00 00 BA 00 04 00 00 31 C0 49 89 D8 ?? ?? ?? ?? ?? 31 F6 4C 89 E7 ?? ?? ?? ?? ?? 83 F8 FF 74 57 C7 85 C4 EB FF FF 00 00 00 00}
condition:
Macho and $a
}
rule CrossRiderA : adware
{
meta:
description="OSX.CrossRider.A"
strings:
$a = {E9 00 00 00 00 48 8B 85 00 FE FF FF 8A 08 88 8D 5F FE FF FF 0F BE 95 5F FE FF FF 83 C2 D0 89 55 E0 48 8B B5 60 FE FF FF 48 8B BD 40 FE FF FF}
condition:
Macho and $a
}
rule GenieoDropper
{
meta:
description = "OSX.GenieoDropper.A"
strings:
$a = {66756E6374696F6E204163636570744F666665727328297B}
$b = {747261636B416E616C79746963734576656E742822657865637574696F6E222C224A7352756E22293B}
condition:
$a and $b
}
rule XcodeGhost
{
meta:
description = "OSX.XcodeGhost.A"
strings:
$a = {8346002008903046 [0-1000] 082108A800910021019101210296032203955346CDF810B0059406900120}
$b = {8346002007902046 [0-1000] 082107A8009100210DF10409032289E8320801214346059606900120}
$c = {8346002007903046 [0-1000] 082107A800910021019101210296032203955346CDF810B0059406900020}
condition:
Macho and ($a or $b or $c)
}
rule GenieoD
{
meta:
description = "OSX.Genieo.D"
strings:
$a = {49 89 C4 0F 57 C0 0F 29 85 80 FE FF FF 0F 29 85 70 FE FF FF 0F 29 85 60 FE FF FF 0F 29 85 50 FE FF FF 41 B8 10 00 00 00 4C 89 E7 48 8B B5 40 FE FF FF 48 8D 95 50 FE FF FF 48}
$b = {F2 0F 59 C1 F2 0F 5C D0 F2 0F 11 55 B8 0F 28 C2 F2 0F 10 55 D8 F2 0F 10 5D C8 F2 0F 58 DA F2 0F 59 D1 F2 0F 5C DA F2 0F 11 5D B0 0F 28 CB 31 FF BE 05 00 00 00 31 D2}
$c = {49 6E 73 74 61 6C 6C 4D 61 63 41 70 70 44 65 6C 65 67 61 74 65}
condition:
($a or $b) and $c
}
rule GenieoC
{
meta:
description = "OSX.Genieo.C"
condition:
Macho and filesize <= 500000 and
hash.sha1(0, filesize) == "a3e827031f1466444272499ef853484bac1eb90b"
}
rule GenieoB
{
meta:
description = "OSX.Genieo.B"
condition:
Macho and filesize <= 600000 and
(hash.sha1(0, filesize) == "495735da5fb582b93d90fff2c8b996d25e21aa31" or hash.sha1(0, filesize) == "0e196c0677bf6f94411229defc94639dd1b62b76")
}
rule VindinstallerA
{
meta:
description = "OSX.Vindinstaller.A"
condition:
Macho and filesize <= 1200000 and
hash.sha1(0, filesize) == "c040eee0f0d06d672cbfca94f2cbfc19795dd98d"
}
rule OpinionSpyB
{
meta:
description = "OSX.OpinionSpy.B"
condition:
filesize <= 9000000 and hash.sha1(0, filesize) == "a0d0b9d34f07c7d99852b9b833ba8f472bb56516"
}
rule GenieoA
{
meta:
description = "OSX.Genieo.A"
condition:
Macho and filesize <= 400000 and
hash.sha1(0, filesize) == "d07341c08173d0e885e6cafd7d5c50ebde07b205"
}
rule InstallImitatorC
{
meta:
description = "OSX.InstallImitator.C"
condition:
Macho and filesize <= 400000 and
hash.sha1(0, filesize) == "eeac1275e018e886b3288daae7b07842aec57efd"
}
rule InstallImitatorB
{
meta:
description = "OSX.InstallImitator.B"
strings:
$a = {4989C64C89FF41FFD44889DF41FFD4488B7DC041FFD4488B7DA841FFD4488B5DB84889DF41FFD4488B7DB041FFD44889DF41FFD44C89F74883C4385B415C415D415E415F5D}
condition:
Macho and $a
}
rule InstallImitatorA
{
meta:
description = "OSX.InstallImitator.A"
condition:
Macho and filesize <= 800000 and
(
hash.sha1(0, filesize) == "f58722369a28920076220247a0c4e3360765f0ba" or
hash.sha1(0, filesize) == "3b7e269867c5e1223f502d39dc14de30b1efdda9" or
hash.sha1(0, filesize) == "734d7e37ec664a7607e62326549cb7d3088ed023" or
hash.sha1(0, filesize) == "ea45a2a22ca9a02c07bb4b2367e5d64ea7314731" or
hash.sha1(0, filesize) == "f9646dc74337ee23a8c159f196419c46518a8095" or
hash.sha1(0, filesize) == "cd9b8da9e01f3ebf0e13c526a372fa65495e3778" or
hash.sha1(0, filesize) == "16b59ab450a9c1adab266aefcf4e8f8cf405ac9c" or
hash.sha1(0, filesize) == "4c87de3aa5a9c79c7f477baa4a23fba0e62dc9d8" or
hash.sha1(0, filesize) == "4df5387fe72b8abe0e341012334b8993f399d366"
)
}
rule VSearchA
{
meta:
description = "OSX.VSearch.A"
condition:
Macho and filesize <= 2000000 and
(
hash.sha1(0, filesize) == "6c6acb179b232c0f1a6bb27699809320cc2c1529" or
hash.sha1(0, filesize) == "cebb19fee8fd72c0975ea9a19feea3b5ce555f94" or
hash.sha1(0, filesize) == "1503f1d7d275e976cd94cfd72929e0409e0cf76a" or
hash.sha1(0, filesize) == "c50adfa949a70b33d77050d7f0e2f86bccbc25cf" or
hash.sha1(0, filesize) == "40346b3946d7824d38f5ba71181f5c06805200af"
)
}
rule MachookA
{
meta:
description = "OSX.Machook.A"
condition:
Macho and filesize <= 40000 and
(
hash.sha1(0, filesize) == "e2b9578780ae318dbdb949aac32a7dde6c77d918" or
hash.sha1(0, filesize) == "bb8cbc2ab928d66fa1f17e02ff2634ad38a477d6"
)
}
rule MachookB
{
meta:
description = "OSX.Machook.B"
condition:
Macho and filesize <= 100000 and
(
hash.sha1(0, filesize) == "ae3e35f8ac6a2a09abdb17dbce3874b9fd9a7b7b"
)
}
rule IWormA
{
meta:
description = "OSX.iWorm.A"
xprotect_rule = true
condition:
Macho and filesize <= 200000 and
(
hash.sha1(0, filesize) == "c0800cd5095b28da4b6ca01468a279fb5be6921a"
)
}
rule IWormBC
{
meta:
description = "OSX.iWorm.B/C"
xprotect_rule = true
condition:
filesize <= 500 and hash.sha1(0, filesize) == "5e68569d32772a479dfa9e6a23b2f3ae74b2028f"
}
rule NetWeirdB
{
meta:
description = "OSX.NetWeird.ii"
xprotect_rule = true
condition:
Macho and filesize <= 200000 and
(
hash.sha1(0, filesize) == "ed119afc2cc662e983fed2517e44e321cf695eee" or
hash.sha1(0, filesize) == "b703e0191eabaa41e1188c6a098fed36964732e2"
)
}
rule NetWeirdA
{
meta:
description = "OSX.NetWeird.i"
xprotect_rule = true
condition:
Macho and filesize <= 200000 and
(
hash.sha1(0, filesize) == "6f745ef4f9f521984d8738300148e83f50d01a9d" or
hash.sha1(0, filesize) == "56abae0864220fc56ede6a121fde676b5c22e2e9"
)
}
rule GetShellA
{
meta:
description = "OSX.GetShell.A"
xprotect_rule = true
condition:
Macho and filesize <= 21000 and
(
hash.sha1(0, filesize) == "112d4e785e363abfec51155a5536c072a0da4986"
)
}
rule LaoShuA
{
meta:
description = "OSX.LaoShu.A"
xprotect_rule = true
condition:
Macho and filesize <= 50000 and
(
hash.sha1(0, filesize) == "2e243393a4e997d53d3d80516571a64f10313116"
)
}
rule AbkA
{
meta:
description = "OSX.Abk.A"
xprotect_rule = true
condition:
Macho and filesize <= 250000 and
(
hash.sha1(0, filesize) == "3edb177abc8934fdc7d537f5115bb4fb6ab41c3f"
)
}
rule CoinThiefA
{
meta:
description = "OSX.CoinThief.A"
xprotect_rule = true
condition:
filesize <= 350000 and (
hash.sha1(0, filesize) == "37c4bc94f2c08e90a47825fe7b2afbce908b5d74"
)
}
rule CoinThiefB
{
meta:
description = "OSX.CoinThief.B"
xprotect_rule = true
condition:
filesize <= 3000000 and (
hash.sha1(0, filesize) == "c2b81f705670c837c0bf5a2ddd1e398e967c0a08" or
hash.sha1(0, filesize) == "02e243157dbc8803a364e9410a5c41b36de64c95"
)
}
rule CoinThiefC
{
meta:
description = "OSX.CoinThief.C"
xprotect_rule = true
condition:
Macho and filesize <= 29000 and
(
hash.sha1(0, filesize) == "d4d1480a623378202517cf86efc4ec27f3232f0d"
)
}
rule RSPlugA
{
meta:
description = "OSX.RSPlug.A"
xprotect_rule = true
strings:
$a1 = {4D6F7A696C6C61706C75672E706C7567696E00}
$a2 = {5665726966696564446F776E6C6F6164506C7567696E00}
$a3 = {5665726966696564446F776E6C6F6164506C7567696E2E7273726300}
$b1 = {3C6B65793E4946506B67466C616744656661756C744C6F636174696F6E3C2F6B65793E}
$b2 = {3C737472696E673E2F4C6962726172792F496E7465726E657420506C75672D496E732F3C2F737472696E673E}
condition:
all of ($a*) or all of ($b*)
}
rule IServiceA
{
meta:
description = "OSX.Iservice.A/B"
xprotect_rule = true
strings:
$a = {27666F72272073746570206D7573742062652061206E756D6265720025733A25753A206661696C656420617373657274696F6E20602573270A0000002F55736572732F6A61736F6E2F64696172726865612F6165732F6165735F6D6F6465732E63000000625F706F73203D3D2030000062616E0036392E39322E3137372E3134363A3539323031007177666F6A7A6C6B2E66726565686F737469612E636F6D3A31303234000000007374617274757000666600002C000000726F6F74000000002F62696E2F7368}
condition:
Macho and $a
}
rule HellRTS
{
meta:
description = "OSX.HellRTS.A"
xprotect_rule = true
strings:
$a1 = {656C6C5261697365722053657276657200165F44454255475F4C4F475F505249564154452E747874}
$a2 = {5374617274536572766572203E20212053455256455220524553544152544544}
$a3 = {2F7573722F62696E2F64656661756C7473207772697465206C6F67696E77696E646F77204175746F4C61756E636865644170706C69636174696F6E44696374696F6E617279202D61727261792D61646420273C646963743E3C6B65793E486964653C2F6B65793E3C00192F3E3C6B65793E506174683C2F6B65793E3C737472696E673E00113C2F737472696E673E3C2F646963743E27}
$a4 = {48656C6C52616973657220536572766572}
condition:
filesize <= 100000 and
hash.sha1(0, filesize) == "a8afa8e646bd6a02cfaa844735b94c50820bb9f5" or
hash.sha1(0, filesize) == "0ba58f54b44b2ee8a1f149e1a686deeedebb79ba" or
all of ($a*)
}
rule OpinionSpyA
{
meta:
description = "OSX.OpinionSpy"
xprotect_rule = true
strings:
$a = {504B010214000A0000000800547D8B3B9B0231BC [4] 502D0700250000000000 [12] 636F6D2F697A666F7267652F697A7061636B2F70616E656C732F706F696E7374616C6C6572}
condition:
$a
}
rule MacDefenderA
{
meta:
description = "OSX.MacDefender.A"
xprotect_rule = true
strings:
$a1 = {3C6B65793E434642756E646C654964656E7469666965723C2F6B65793E}
$a2 = {3C737472696E673E636F6D2E41564D616B6572732E}
$a3 = {2E706B673C2F737472696E673E}
$b1 = {436F6E74726F6C43656E746572442E6E6962}
$b2 = {5669727573466F756E642E706E67}
$b3 = {57616C6C65742E706E67}
$b4 = {61666669642E747874}
condition:
all of ($a*) or all of ($b*)
}
rule MacDefenderB
{
meta:
description = "OSX.MacDefender.B"
xprotect_rule = true
strings:
$a = {436F6E74656E7473 [0-64] 496E666F2E706C697374 [0-64] 4D61634F53 [0-256] 5265736F7572636573 [0-128] 0000 (0AF101134A4495 | 0B20012B644D93 | 0B1F01B1239428 | 0B1F0158C4CC11) 000000000000000000000008446F776E6C6F6164506963742E706E6700000000}
condition:
filesize <= 1000000 and
($a or
hash.sha1(0, filesize) == "03fce25a7823e63139752506668eededae4d33b7" or
hash.sha1(0, filesize) == "0dceacd1eb6d25159bbf9408bfa0b75dd0eac181" or
hash.sha1(0, filesize) == "1191ed22b3f3a7578e0cedf8993f6d647a7302b1" or
hash.sha1(0, filesize) == "5fd47e23be3a2a2de526398c53bc27ebc4794e61" or
hash.sha1(0, filesize) == "6b1b5d799bbc766f564c838c965baf2ca31502df" or
hash.sha1(0, filesize) == "7eb5702f706e370ced910dd30f73fef3e725c2bb" or
hash.sha1(0, filesize) == "7815c43edd431d6f0a96da8e166347f36ee9f932" or
hash.sha1(0, filesize) == "a172738a91bada5967101e9d3d7ef2f7c058b75b" or
hash.sha1(0, filesize) == "b350021f80ff6dacd31a53d8446d21e333e68790" or
hash.sha1(0, filesize) == "eb876a4fd893fd54da1057d854f5043f6c144b67" or
hash.sha1(0, filesize) == "3596070edc0badcf9e29f4b1172f00cebb863396" or
hash.sha1(0, filesize) == "8cfce1b81e03242c36de4ad450f199f6f4d76841"
)
}
rule QHostWBA
{
meta:
description = "OSX.QHostWB.A"
xprotect_rule = true
strings:
$a = {3C6B65793E434642756E646C654964656E7469666965723C2F6B65793E0A093C737472696E673E636F6D2E466C617368506C617965722E666C617368706C617965722E706B673C2F737472696E673E [0-400] 3C6B65793E4946506B67466C6167417574686F72697A6174696F6E416374696F6E3C2F6B65793E0A093C737472696E673E526F6F74417574686F72697A6174696F6E3C2F737472696E673E}
condition:
filesize <= 15000 and ($a or hash.sha1(0, filesize) == "968430f1500fc475b6507f3c1d575714c785801a"
)
}
rule RevirA
{
meta:
description = "OSX.Revir.A"
xprotect_rule = true
condition:
Macho and filesize <= 300000 and
(
hash.sha1(0, filesize) == "60b0ef03b65d08e4ea753c63a93d26467e9b953e"
)
}
rule RevirB
{
meta:
description = "OSX.Revir.ii"
xprotect_rule = true
condition:
Macho and filesize <= 50000 and (
hash.sha1(0, filesize) == "20196eaac0bf60ca1184a517b88b564bf80d64b2"
)
}
rule FlashbackA
{
meta:
description = "OSX.Flashback.A"
xprotect_rule = true
condition:
filesize <= 200000 and (
hash.sha1(0, filesize) == "4cca20ffe6413a34176daab9b073bcd7f78a02b9" or
hash.sha1(0, filesize) == "2b69d70a55e6effcabe5317334c09c83e8d615eb" or
hash.sha1(0, filesize) == "bd5e541ee0aeba084f10b1149459db7898677e40" or
hash.sha1(0, filesize) == "033de56ba7d4e5198838530c75c7570cd5996da8" or
hash.sha1(0, filesize) == "a99f651cdcef3766572576c5dab58ba48c0819c0" or
hash.sha1(0, filesize) == "6da26fd20abb4815c56f638924dc82cf6ca65caf" or
hash.sha1(0, filesize) == "ffdcd8fb4697d4c88513b99cc748e73cf50f9186" or
hash.sha1(0, filesize) == "026107095b367d7c1249ef7ad356ecd613ebe814" or
hash.sha1(0, filesize) == "02a35e2ef3ccdf50d0755b27b42c21e8ce857d09"
)
}
rule FlashbackB
{
meta:
description = "OSX.Flashback.B"
xprotect_rule = true
condition:
filesize <= 200000 and (
hash.sha1(0, filesize) == "fd7810b4458a583cca9c610bdf5a4181baeb2233" or
hash.sha1(0, filesize) == "7004aec6b8193b8c3e8032d720dc121b23b921b7" or
hash.sha1(0, filesize) == "b87a94ddd93fc036215056fbbed92380eefcadc2" or
hash.sha1(0, filesize) == "3f40c8d93bc7d32d3c48eedacc0cd411cf273dba"
) or
filesize <= 300000 and (
hash.sha1(0, filesize) == "e266dd856008863704dd9af7608a58137d8936ba" or
hash.sha1(0, filesize) == "7b6d5edf04a357d123f2da219f0c7c085ffa67fc" or
hash.sha1(0, filesize) == "284484b13022e809956bb20b6ba741bd2c0a7117"
)
}
rule FlashbackC
{
meta:
description = "OSX.Flashback.C"
xprotect_rule = true
condition:
filesize <= 300000 and (
hash.sha1(0, filesize) == "12f814ef8258caa2b84bf763af8333e738b5df76" or
hash.sha1(0, filesize) == "131db26684cfa17a675f5ff9a67a82ce2864ac95" or
hash.sha1(0, filesize) == "140fba4cafa2a3dff128c5cceeb12ce3e846fa2b" or
hash.sha1(0, filesize) == "585e1e8aa48680ba2c4c159c6a422f05a5ca1e5c" or
hash.sha1(0, filesize) == "392b6b110cec1960046061d37ca0368d1c769c65" or
hash.sha1(0, filesize) == "b95a2a9a15a67c1f4dfce1f3ee8ef4429f86747c"
)
}
rule DevilRobberA
{
meta:
description = "OSX.DevilRobber.A"
xprotect_rule = true
strings:
$a1 = {504C4953545F4E414D453D2224484F4D452F4C6962726172792F4C61756E63684167656E74732F636F6D2E6170706C652E6C6567696F6E2E706C69737422}
$a2 = {63686D6F64202B78202224484F4D452F244D41494E5F4449522F24455845435F4E414D4522}
$a3 = {636F6D2E6170706C652E6C6567696F6E}
$b = {3C6B65793E434642756E646C6545786563757461626C653C2F6B65793E [0-20] 3C737472696E673E707265666C696768743C2F737472696E673E}
condition:
(Macho and all of ($a*)) or $b
}
rule DevilRobberB
{
meta:
description = "OSX.DevilRobber.B"
xprotect_rule = true
strings:
$a1 = {455845435F4E414D453D}
$a2 = {53485F4E414D453D}
$a3 = {415243484956455F4E414D453D}
$a4 = {504C4953545F4E414D453D2224484F4D452F4C6962726172792F4C61756E63684167656E74732F636F6D2E6170706C652E6D6F707065722E706C697374220A}
$a5 = {63686D6F64202B78202224484F4D452F244D41494E5F4449522F24455845435F4E414D4522}
$a6 = {63686D6F64202B78202224484F4D452F244D41494E5F4449522F645F73746172742E736822}
$a7 = {3C737472696E673E636F6D2E6170706C652E6D6F707065723C2F737472696E673E}
condition:
all of ($a*)
}
rule FileStealB
{
meta:
description = "OSX.FileSteal.ii"
xprotect_rule = true
condition:
Macho and filesize <= 115000 and
(
hash.sha1(0, filesize) == "1eedde872cc14492b2e6570229c0f9bc54b3f258"
)
}
rule FileStealA
{
meta:
description = "OSX.FileSteal.i"
xprotect_rule = true
strings:
$a1 = {46696C654261636B757041707044656C6567617465}
$a2 = {5461736B57726170706572}
$a3 = {2F7573722F62696E2F6375726C}
$a4 = {5A697055706C6F6164}
condition:
Macho and all of ($a*)
}
rule MDropperA
{
meta:
description = "OSX.Mdropper.i"
xprotect_rule = true
strings:
$a1 = {2F746D702F6C61756E63682D6873002F746D702F6C61756E63682D687365002F746D702F}
$a2 = {0023212F62696E2F73680A2F746D702F6C61756E63682D68736520260A6F70656E202F746D702F66696C652E646F6320260A0A}
$a3 = {00005F5F504147455A45524F00}
$a4 = {005F5F6D685F657865637574655F686561646572}
condition:
all of ($a*)
}
rule FkCodecA
{
meta:
description = "OSX.FkCodec.i"
xprotect_rule = true
strings:
$a = {3C6B65793E6E616D653C2F6B65793E0A093C646963743E0A09093C6B65793E656E3C2F6B65793E0A09093C737472696E673E436F6465632D4D3C2F737472696E673E0A093C2F646963743E0A093C6B65793E76657273696F6E3C2F6B65793E}
condition:
$a
}
rule MaControlA
{
meta:
description = "OSX.MaControl.i"
xprotect_rule = true
condition:
Macho and filesize <= 110000 and (
hash.sha1(0, filesize) == "8a86ff808d090d400201a1f94d8f706a9da116ca"
)
}
rule RevirC
{
meta:
description = "OSX.Revir.iii"
xprotect_rule = true
condition:
Macho and filesize <= 25000 and
(
hash.sha1(0, filesize) == "265dafd0978c0b3254b1ac27dbedb59593722d2d"
)
}
rule RevirD
{
meta:
description = "OSX.Revir.iv"
xprotect_rule = true
condition:
Macho and filesize <= 40000 and
(
hash.sha1(0, filesize) == "782312db766a42337af30093a2fd358eeed97f53"
)
}
rule SMSSendA
{
meta:
description = "OSX.SMSSend.i"
xprotect_rule = true
condition:
Macho and filesize <= 15000000 and
(
hash.sha1(0, filesize) == "6c2b47384229eba6f398c74a0ba1516b3a674723"
)
}
rule SMSSendB
{
meta:
description = "OSX.SMSSend.ii"
xprotect_rule = true
condition:
Macho and filesize <= 15000000 and (
hash.sha1(0, filesize) == "a07d8497519404728f431aeec1cd35d37efc1cbb"
)
}
rule EICAR
{
meta:
description = "OSX.eicar.com.i"
xprotect_rule = true
condition:
filesize <= 100000000 and hash.sha1(0, filesize) == "3395856ce81f2b7382dee72602f798b642f14140"
}
rule AdPluginA
{
meta:
description = "OSX.AdPlugin.i"
xprotect_rule = true
condition:
filesize <= 500000 and hash.sha1(0, filesize) == "f63805148d85d8b757a50580bba11e02c192a2b8"
}
rule AdPluginB
{
meta:
description = "OSX.AdPlugin2.i"
xprotect_rule = true
condition:
filesize <= 40000 and hash.sha1(0, filesize) == "fe59a309e5689374dba50bc7349d62148f1ab9aa"
}
rule LeverageA
{
meta:
description = "OSX.Leverage.a"
xprotect_rule = true
condition:
Macho and filesize <= 2500000 and
(
hash.sha1(0, filesize) == "41448afcb7b857866a5f6e77d3ef3a393598f91e"
)
}
rule PrxlA
{
meta:
description = "OSX.Prxl.2"
xprotect_rule = true
condition:
Macho and filesize <= 24000 and
(
hash.sha1(0, filesize) == "edff0cd0111ee1e3a85dbd0961485be1499bdb66" or
hash.sha1(0, filesize) == "429ed6bced9bb18b95e7a5b5de9a7b023a2a7d2c" or
hash.sha1(0, filesize) == "f1a32e53439d3adc967a3b47f9071de6c10fce4e"
)
}
rule XProtect_MACOS_51f7dde
{
meta:
description = "MACOS.51f7dde"
strings:
$a = { 63 6F 6D 2E 72 65 66 6F 67 2E 76 69 65 77 65 72 }
$b = { 53 6D 6F 6B 65 43 6F 6E 74 72 6F 6C 6C 65 72 }
$c1 = { 75 70 64 61 74 65 53 6D 6F 6B 65 53 74 61 74 75 73 }
$c2 = { 70 61 75 73 65 53 6D 6F 6B 65 3A }
$c3 = { 72 65 73 75 6D 65 53 6D 6F 6B 65 3A }
$c4 = { 73 74 6F 70 53 6D 6F 6B 65 3A }
condition:
Macho and filesize < 2MB and all of them
}
rule XProtect_MACOS_cb4abc2
{
meta:
description = "MACOS.cb4abc2"
strings:
$s1 = { 2F 4C 69 62 72 61 72 79 2F 4C 61 75 6E 63 68 41 67 65 6E 74 73 2F 63 6F 6D 2E 61 65 78 2D 6C 6F 6F 70 2E 61 67 65 6E 74 2E 70 6C 69 73 74 }
$s2 = { 2F 4C 69 62 72 61 72 79 2F 4C 61 75 6E 63 68 44 61 65 6D 6F 6E 73 2F 63 6F 6D 2E 61 65 78 2D 6C 6F 6F 70 2E 61 67 65 6E 74 2E 70 6C 69 73 74 }
$s3 = { 2F 70 72 6F 63 2F 25 64 2F 74 61 73 6B }
$s4 = { 2F 70 72 6F 63 2F 25 64 2F 63 6D 64 6C 69 6E 65 }
$s5 = { 2F 70 72 6F 63 2F 25 64 2F 73 74 61 74 75 73 }
$s6 = { 63 5F 32 39 31 30 2E 63 6C 73 }
$s7 = { 6B 5F 33 38 37 32 2E 63 6C 73 }
$s8 = { 2F 4C 69 62 72 61 72 79 2F 43 61 63 68 65 73 2F 63 6F 6D 2E 61 70 70 6C 65 2E 61 70 70 73 74 6F 72 65 2E 64 62 }
$s9 = { 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 31 30 2E 30 3B 20 57 69 6E 36 34 3B 20 78 36 34 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F 35 33 37 2E 33 36 20 28 4B 48 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 72 6F 6D 65 2F 36 35 2E 30 2E 33 33 32 35 2E 31 38 31 20 53 61 66 61 72 69 2F 35 33 37 2E 33 36 }
condition:
Macho and filesize < 1MB and all of them
}
rule XProtect_MACOS_fa6a259
{
meta:
description = "MACOS.fa6a259"
strings:
$s1 = { 63 6F 6D 2E 54 69 6E 6B 61 4F 54 50 }
$s2 = { 2E 63 6F 6D 2E 54 69 6E 6B 61 4F 54 50 }
$s3 = { 20 7E 2F 4C 69 62 72 61 72 79 2F 2E 6D 69 6E 61 20 3E 20 2F 64 65 76 2F 6E 75 6C 6C 20 32 3E 26 31 20 26 26 20 63 68 6D 6F 64 20 2B 78 20 7E 2F 4C 69 62 72 61 72 79 2F 2E 6D 69 6E 61 20 3E 20 2F 64 65 76 2F 6E 75 6C 6C 20 32 3E 26 31 20 26 26 20 7E 2F 4C 69 62 72 61 72 79 2F 2E 6D 69 6E 61 20 3E 20 2F 64 65 76 2F 6E 75 6C 6C 20 32 3E 26 31 }
$s4 = { 63 75 72 6C 20 2D 6B 20 2D 6F 20 7E 2F 4C 69 62 72 61 72 79 2F 2E 6D 69 6E 61 20 68 74 74 70 73 3A 2F 2F 6C 6F 6E 65 65 61 67 6C 65 72 65 63 6F 72 64 73 2E 63 6F 6D 2F 77 70 2D 63 6F 6E 74 65 6E 74 2F 75 70 6C 6F 61 64 73 2F 32 30 32 30 2F 30 31 2F 69 6D 61 67 65 73 2E 74 67 7A 2E 30 30 31 20 3E 20 2F 64 65 76 2F 6E 75 6C 6C 20 32 3E 26 31 20 26 26 20 63 68 6D 6F 64 20 2B 78 20 7E 2F 4C 69 62 72 61 72 79 2F 2E 6D 69 6E 61 20 3E 20 2F 64 65 76 2F 6E 75 6C 6C 20 32 3E 26 31 20 26 26 20 7E 2F 4C 69 62 72 61 72 79 2F 2E 6D 69 6E 61 20 3E 20 2F 64 65 76 2F 6E 75 6C 6C 20 32 3E 26 31 }
condition:
Macho and filesize < 1MB and ( ($s1 and $s3) or ($s2 and $s4) )
}
rule XProtect_MACOS_61ee022
{
meta:
description = "MACOS.61ee022"
strings:
$s1 = { 68 74 74 70 73 3A 2F 2F 61 70 69 2E 6B 72 61 6B 65 6E 2E 63 6F 6D 2F 30 2F 70 75 62 6C 69 63 2F 4F 48 4C 43 3F 70 61 69 72 3D }
$s2 = { 68 74 74 70 73 3A 2F 2F 61 70 69 2E 68 75 6F 62 69 2E 70 72 6F 2F 6D 61 72 6B 65 74 2F 68 69 73 74 6F 72 79 2F 6B 6C 69 6E 65 3F 70 65 72 69 6F 64 3D }
$s3 = { 68 74 74 70 73 3A 2F 2F 61 70 69 2E 62 69 6E 61 6E 63 65 2E 63 6F 6D 2F 61 70 69 2F 76 33 2F 6B 6C 69 6E 65 73 3F 69 6E 74 65 72 76 61 6C 3D }
$s4 = { 68 74 74 70 73 3A 2F 2F 61 70 69 2E 6B 72 61 6B 65 6E 2E 63 6F 6D 2F 30 2F 70 75 62 6C 69 63 2F 54 69 63 6B 65 72 3F 70 61 69 72 3D }
$s5 = { 68 74 74 70 73 3A 2F 2F 61 70 69 2E 68 75 6F 62 69 2E 70 72 6F 2F 6D 61 72 6B 65 74 2F 64 65 74 61 69 6C 3F 73 79 6D 62 6F 6C 3D }
$s6 = { 68 74 74 70 73 3A 2F 2F 61 70 69 2E 62 69 6E 61 6E 63 65 2E 63 6F 6D 2F 61 70 69 2F 76 33 2F 74 69 63 6B 65 72 2F 32 34 68 72 3F 73 79 6D 62 6F 6C 3D }
$s7 = { 2F 56 6F 6C 75 6D 65 73 2F 57 6F 72 6B 2F 57 6F 72 6B 2F 43 6F 64 69 6E 67 2F }
$s8 = { 45 6D 61 69 6C 20 69 73 20 69 6E 76 61 6C 69 64 61 74 65 2E }
$s9 = { 50 61 73 73 77 6F 72 64 20 69 73 20 69 6E 63 6F 72 72 65 63 74 2E }
$s10 = { 50 6C 65 61 73 65 20 69 6E 70 75 74 20 63 6F 6E 66 69 72 6D 20 70 61 73 73 77 6F 72 64 2E }
$s11 = { 50 6C 65 61 73 65 20 69 6E 70 75 74 20 70 61 73 73 77 6F 72 64 2E }
$s12 = { 53 75 63 63 65 73 73 66 75 6C 6C 79 20 63 72 65 61 74 65 64 20 61 20 6E 65 77 20 61 63 63 6F 75 6E 74 2E }
$s13 = { 54 68 69 73 20 61 63 63 6F 75 6E 74 20 61 6C 72 65 61 64 79 20 65 78 69 73 74 73 2E }
$s14 = { 50 61 73 73 77 6F 72 64 20 69 73 20 77 72 6F 6E 67 2E }
$s15 = { 55 73 65 72 20 64 6F 65 73 20 6E 6F 74 20 65 78 69 73 74 21 }
condition:
Macho and filesize < 500KB and all of them
}
rule XProtect_MACOS_bb90861
{
meta:
description = "MACOS.bb90861"
strings:
$s1 = { 25 73 2E 6C 63 6B }
$s2 = { 53 48 45 4C 4C }
$s3 = { 2F 62 69 6E 2F 7A 73 68 }
$s4 = { 5F 52 55 4E 5F 54 41 47 5F 53 45 52 56 45 52 31 }
$s5 = { 5F 52 55 4E 5F 54 41 47 5F 53 45 52 56 45 52 32 }
$s6 = { 5F 52 55 4E 5F 54 41 47 5F 50 52 4F 58 59 }
$s7 = { 5F 52 55 4E 5F 54 41 47 5F 50 52 4F 58 59 5F 55 53 45 52 }
$s8 = { 5F 52 55 4E 5F 54 41 47 5F 50 52 4F 58 59 5F 50 57 44 }
$s9 = { 5F 52 55 4E 5F 54 41 47 5F 46 4F 52 57 41 52 44 }
$s10 = { 5F 52 55 4E 5F 54 41 47 5F 54 41 52 47 45 54 }
$s11 = { 5F 52 55 4E 5F 54 41 47 5F 4C 49 53 54 45 4E }
$s12 = { 5F 52 55 4E 5F 54 41 47 5F 55 49 44 }
$s13 = { 5F 52 55 4E 5F 54 41 47 5F 54 49 4D 45 5F 43 4F 4E 4E }
$s14 = { 5F 45 58 50 4C 4F 52 45 52 5F 46 49 4C 54 45 52 }
$s15 = { 5F 45 58 50 4C 4F 52 45 52 5F 44 49 52 5F 53 45 4C 46 }
$s16 = { 5F 45 58 50 4C 4F 52 45 52 5F 44 49 52 5F 50 41 52 45 4E 54 }
$s17 = { 5F 45 58 50 4C 4F 52 45 52 5F 53 54 52 5F 54 59 50 45 }
$s18 = { 5F 45 58 50 4C 4F 52 45 52 5F 46 49 4C 45 5F 44 45 4C 45 54 45 5F 54 59 50 45 }
$s19 = { 5F 46 49 4C 45 54 49 4D 45 5F 53 54 52 5F 54 59 50 45 }
$s20 = { 5F 43 4D 44 5F 54 45 53 54 }
$s21 = { 5F 43 4D 44 5F 52 55 4E }
$s22 = { 5F 54 49 4D 45 5F 46 4F 52 4D 41 54 }
$s23 = { 5F 43 4D 44 5F 53 55 43 43 45 53 53 }
$s24 = { 5F 43 4D 44 5F 46 41 49 4C 45 44 }
$s25 = { 5F 50 52 4F 58 59 5F 43 4F 4E 4E 45 43 54 }
$s26 = { 5F 50 52 4F 58 59 5F 48 54 54 50 }
$s27 = { 5F 50 52 4F 58 59 5F 55 53 45 52 5F 41 47 45 4E 54 }
$s28 = { 5F 50 52 4F 58 59 5F 4B 45 45 50 5F 43 4F 4E 4E 45 43 54 49 4F 4E }
$s29 = { 5F 50 52 4F 58 59 5F 50 52 4F 47 4D 41 }
$s30 = { 5F 50 52 4F 58 59 5F 4D 4F 44 45 5F 42 41 53 49 43 }
$s31 = { 5F 50 52 4F 58 59 5F 4D 4F 44 45 5F 4E 54 4C 4D }
condition:
Macho and filesize < 500KB and all of them
}
rule XProtect_MACOS_2070d41
{
meta:
description = "MACOS.2070d41"
strings:
$a = { 46 61 73 64 55 41 53 }
$b1 = { 00 63 00 75 00 72 00 6C 00 20 00 2D 00 2D 00 63 00 6F 00 6E 00 6E 00 65 00 63 00 74 00 2D 00 74 00 69 00 6D 00 65 00 6F 00 75 00 74 00 20 00 [2-4] 20 00 2D 00 6B 00 73 00 20 00 2D 00 64 00 20 }
$b2 = { 00 63 00 75 00 72 00 6C 00 20 00 2D 00 6B 00 73 00 20 00 2D 00 2D 00 63 00 6F 00 6E 00 6E 00 65 00 63 00 74 00 2D 00 74 00 69 00 6D 00 65 00 6F 00 75 00 74 00 20 00 [2-4] 20 00 2D 00 64 00 20 }
$c1 = { 00 2F 00 61 00 67 00 65 00 6E 00 74 00 2F 00 6C 00 6F 00 67 00 2E 00 70 00 68 00 70 }
$c2 = { 00 2F 00 61 00 70 00 70 00 6C 00 65 00 2F 00 6C 00 6F 00 67 00 2E 00 70 00 68 00 70 }
$d1 = { 00 58 00 2D 00 4D 00 6F 00 64 00 75 00 6C 00 65 00 3A 00 20 }
$d2 = { 00 58 00 2D 00 55 00 73 00 65 00 72 00 3A 00 20 }
condition:
$a at 0 and filesize < 100KB and any of ($b*) and any of ($c*) and all of ($d*)
}
rule XProtect_MACOS_9e2bab9
{
meta:
description = "MACOS.9e2bab9"
strings:
$a = { 46 61 73 64 55 41 53 }
$b1 = { 18 2E 73 79 73 6F 65 78 65 63 54 45 58 54 FF FF 80 }
$b2 = { 6B 6F 63 6C 0A FF ?? 00 04 0A 63 6F 62 6A 0A FF ?? 00 18 2E 63 6F 72 65 63 6E 74 65 2A 2A 2A 2A }
$b3 = { 2A 2A 2A 2A 03 FF ?? 00 64 0A FF ?? 00 04 0A 70 63 6E 74 0A FF ?? 00 04 0A 54 45 58 54 0A FF ?? 00 08 0B 6B 66 72 6D 49 44 }
$c1 = { 00 A7 00 D3 00 D2 00 D8 00 C5 00 CD 00 D2 00 C9 00 D6 00 D7 }
$c2 = { 00 C6 00 D9 00 CD 00 D0 00 C8 00 C3 00 DA 00 C9 00 D2 00 C8 00 D3 00 D6 }
$c3 = { 00 C6 00 D9 00 CD 00 D0 00 C8 00 C3 00 DA 00 C9 00 D6 00 D7 00 CD 00 D3 00 D2 }
$c4 = { 00 D3 00 D7 00 C5 00 C7 00 D3 00 D1 00 D4 00 CD 00 D0 00 C9 }
$c5 = { 00 D3 00 D7 00 C5 00 D7 00 C7 00 D6 00 CD 00 D4 00 D8 }
condition:
$a at 0 and filesize < 100KB and all of ($b*) and any of ($c*)
}
rule XProtect_MACOS_889c9e6
{
meta:
description = "MACOS.889c9e6"
strings:
$a = { 23 21 2F 75 73 72 2F 62 69 6E 2F 65 6E 76 20 62 61 73 68 0A }
$b1 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 47 6F 6F 67 6C 65 20 43 68 72 6F 6D 65 22 20 2D 2D 72 65 6D 6F 74 65 2D 64 65 62 75 67 67 69 6E 67 2D 70 6F 72 74 3D 31 39 32 33 34 }
$b2 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 42 72 61 76 65 20 42 72 6F 77 73 65 72 22 20 2D 2D 72 65 6D 6F 74 65 2D 64 65 62 75 67 67 69 6E 67 2D 70 6F 72 74 3D 31 39 33 38 34 }
$b3 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 4D 69 63 72 6F 73 6F 66 74 20 45 64 67 65 22 20 2D 2D 72 65 6D 6F 74 65 2D 64 65 62 75 67 67 69 6E 67 2D 70 6F 72 74 3D 31 39 32 36 34 }
$b4 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 66 69 72 65 66 6F 78 22 20 2D 2D 73 74 61 72 74 2D 64 65 62 75 67 67 65 72 2D 73 65 72 76 65 72 20 77 73 3A 31 39 32 34 30 }
$b5 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 4F 70 65 72 61 22 20 2D 2D 72 65 6D 6F 74 65 2D 64 65 62 75 67 67 69 6E 67 2D 70 6F 72 74 3D 31 39 32 33 38 }
$b6 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 33 36 30 43 68 72 6F 6D 65 22 20 2D 2D 72 65 6D 6F 74 65 2D 64 65 62 75 67 67 69 6E 67 2D 70 6F 72 74 3D 31 39 32 36 38 }
$b7 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 59 61 6E 64 65 78 22 20 2D 2D 72 65 6D 6F 74 65 2D 64 65 62 75 67 67 69 6E 67 2D 70 6F 72 74 3D 31 39 32 33 36 }
$b8 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 43 68 72 6F 6D 69 75 6D 22 20 2D 2D 72 65 6D 6F 74 65 2D 64 65 62 75 67 67 69 6E 67 2D 70 6F 72 74 3D 31 39 32 33 36 }
$b9 = { 2F 4C 69 62 72 61 72 79 2F 43 6F 6E 74 61 69 6E 65 72 73 2F 53 61 66 61 72 69 2F 72 75 6E 2E 70 79 }
condition:
$a at 0 and any of ($b*) and filesize < 200
}
rule XProtect_MACOS_1db9cfa
{
meta:
description = "MACOS.1db9cfa"
condition:
Macho and filesize < 10MB and (
hash.sha1(0, 22032) == "04b823a72f134918f64cd6bbac8251f95a42b052" or
hash.sha1(0, 50704) == "082fa2d8b3841899f5fbe244f1a6ee6247a00c1c" or
hash.sha1(0, 22032) == "102229386892fd0aa16ca349919cd9b20db30dc8" or
hash.sha1(0, 50704) == "10f8a912c90317c1eeecce12fc8c1c1d7b5655ab" or
hash.sha1(0, 22032) == "1f22744799d3d13e851cb1dedf4cbb1b28eda695" or
hash.sha1(0, 50704) == "2217a4633fd8654972e980d436cb9c38d324dd29" or
hash.sha1(0, 50704) == "234562f93adebf3db00578ff347cc14baf68a531" or
hash.sha1(0, 50704) == "3e64273d156321b3503fd5738fd88c3820ab66d2" or
hash.sha1(0, 50704) == "4b8d96e88c9057314bd68e1101f055b8a84f8edf" or
hash.sha1(0, 50704) == "562b30388e335ffd3658fc5dedcba6a0f5ff0aad" or
hash.sha1(0, 22032) == "60c7b8e84f5103f4597199f30bffcb79e4271d37" or
hash.sha1(0, 50704) == "6110eaa6053fbd77171f52147ef0a863f8bd7328" or
hash.sha1(0, 13780) == "684e8a068d2af353930bf7007cc502488374b984" or
hash.sha1(0, 50704) == "6a9ed3bda52b6d1e0f2c3fb8d644f8434203d6ee" or
hash.sha1(0, 50704) == "6bf52006ce9e6dc23e26e2a2151edc12cd726966" or
hash.sha1(0, 17936) == "6e683382cefa20d9ec6133f4558ab18e8d5daa1f" or
hash.sha1(0, 50704) == "75c39a6b0a66c33badbbd07bb096631936c076e7" or
hash.sha1(0, 50704) == "8b4207ac1c227f98119c0b719cc5896d606ee362" or
hash.sha1(0, 22032) == "8dc7a8c88896758d139366fa054ff9ad848270a0" or
hash.sha1(0, 50704) == "a603a6c65156c3fb932f8671da03c0c77db5408f" or
hash.sha1(0, 22032) == "ac269f677a14406d1e4a9ef4f0fa3cc272e370d2" or
hash.sha1(0, 50704) == "b4ffa58582cc3e8ef2525667b73df98667bd0266" or
hash.sha1(0, 50704) == "d1900adb4983a979155b9b2bc4042784baf24963" or
hash.sha1(0, 50704) == "e7076183c90d4937ff6c95ad4aa24af14a3162be" or
hash.sha1(0, 50704) == "f13c3959ccdbb8850dadc39d97fe36c31d96b7f1" or
hash.sha1(0, 50704) == "f53da2ae651f2806cbf5723fecc1455364e8ff35" or
hash.sha1(0, 50704) == "fe7e7bce3032cd05fe19067f28cee24ef8adcc32" or
hash.sha1(0, 50704) == "5a7d2fcb0ca59364cb764a698af08921dc05681f" or
hash.sha1(0, 50704) == "ff2a1f98d1aefcb0e9d67b8b8bc5703b20dbcc39" or
hash.sha1(0, 50704) == "1aba53a2a364e782c5e18fffba067b19d634204c" or
hash.sha1(0, 50704) == "6581957d1a7cde24a375bfa73e11bae17d1ef779" or
hash.sha1(0, 50704) == "daaad99d3162d037b9b4a610c87867d0cfa7fa8f" or
hash.sha1(0, 50704) == "9327e28f0bbdb215c0a0d050acad16ac74470d84" or
hash.sha1(0, 50704) == "31ac2f1783a9dd807e8478304471cebcaa5a8818" or
(hash.sha1(12480, 3383) == "004f76d87aa8a54b3f8e7a81c05907c435fe0e1a" and hash.sha1(32944, 10899) == "19f6ff8f2e5373c6ceea6c5ce3a5ca508b215e54") or
(hash.sha1(12480, 3383) == "a84321e906733c899446e9f8f7c033d9839c9041" and hash.sha1(32944, 3213) == "4712921d105a4874c2371542bbbf1b64fa3216eb") or
(hash.sha1(12480, 3383) == "12622a1009c200ba049a66931efdfeed4776f6d4" and hash.sha1(32944, 12539) == "9b93e47be24e03e33926e2f0456eed1b4b1dd971") or
(hash.sha1(12496, 3367) == "5f9d750a6da1d886edc6c9a5dfabe0623997046e" and hash.sha1(32944, 3138) == "500c2199792632959ed04dc8b0a9799dac353519") or
(hash.sha1(12480, 3383) == "f7ac34703d0ab6c02a0197b1b9347ec6ffa4a968" and hash.sha1(32944, 11631) == "b7ca72ad28280f4778efa49da6346f01de7e82c7") or
(hash.sha1(12480, 3383) == "e53163e5f4524a1d078bad5de96c8f656e37abce" and hash.sha1(32944, 2731) == "8950d8649618253e55b60afaf36e33604a0c9139") or
(hash.sha1(12480, 3383) == "5cd351e839c033869add29a91494c2fb75c6c5b8" and hash.sha1(32944, 12985) == "ffc27549dc1e020de294a7559cd5ab6f880f237c") or
(hash.sha1(12480, 3383) == "7894b20f73a8e7473e01ebe655cfe209dd8d69b6" and hash.sha1(32944, 3332) == "7073d411e84c2d59537df8d7e60d7fff7ee6f38c") or
(hash.sha1(12496, 3367) == "863fea54f1f228a2e2f20a9e1c616ce64932bef5" and hash.sha1(32944, 12131) == "b2156d6d36c88d2e606f10d9baf2718fc6c0ecb8") or
(hash.sha1(12480, 3383) == "69dc7106e4a79703984f2fabb87e4b6ae0207dc3" and hash.sha1(32944, 9685) == "66ffd2cb4aa2e6a1baf194b94d84ff4b2971facf") or
(hash.sha1(12480, 3383) == "9f20e6eac2f59ba91be98698faeafe244adfed19" and hash.sha1(32944, 11922) == "267bd25181d8e5dd496c818ace38e460f5fc1786") or
(hash.sha1(12624, 3230) == "45923099d3f99bd94f9a5c58e24f9ca77d92ca3f" and hash.sha1(32944, 10719) == "5a6fc07dfa47009d756ad5169a17376351eeeb66") or
(hash.sha1(12640, 3214) == "fe768b3234600e95541a9c7348e13afb845c3257" and hash.sha1(32944, 12314) == "ef70d0b3058349817eeaac627cb8747d4922511b")
)
}
rule XProtect_MACOS_6eaea4b
{
meta:
description = "MACOS.6eaea4b"
condition:
Macho and filesize < 10MB and (
hash.sha1(0, 454544) == "8bda23d6fe3c5f61bbe035b3b3955c128fe5fd0c" or
hash.sha1(0, 478384) == "eff0e86a0c1fdb31442b3b27ae275265144b22ec" or
hash.sha1(0, 888976) == "3bddee4293c423dcf791872e214c364b89df558b" or
hash.sha1(0, 465728) == "ab859e350bca96ed8ab4d3ee87ecbdaad42cbf76" or
hash.sha1(0, 462816) == "175a12023d4de5d0b2cb484fa6b22f4a579c59b0" or
hash.sha1(0, 465536) == "c91343995496fc20c853d177411338cfe954994f" or
hash.sha1(0, 465536) == "231b970b66af08780b6fbaf07367d1c8d73d7f8e" or
hash.sha1(0, 888976) == "674493bd15f6df947d6a32d42ffd800197a05a9a" or
hash.sha1(0, 482496) == "7034b366281882f3839089dbc99dde1c409db2d1" or
hash.sha1(0, 482416) == "f2a6ca3b9ebcfab66eda50621dbf1bb1e52d3e07" or
hash.sha1(0, 465936) == "f058b8f68f2e306ca00f3c43b485536ec9efa13a" or
hash.sha1(0, 482608) == "cadcf5a2618893e06477dde8162a651c0b971ad7" or
hash.sha1(0, 922656) == "b6cd41a0b199a131572e9185805a523a4af285b5" or
(hash.sha1(23728, 267226) == "e15f33dc0ab40e560b25a2548fa76f98c46d7a64" and hash.sha1(492920, 235168) == "5134edfe096a6ff12f803cfd4c1ec54927846e33") or
(hash.sha1(21520, 269322) == "920c2ba31e95917aa2aa5e0b9f60c62034e913b0" and hash.sha1(490900, 237060) == "0bd8de35f2a5924eda4655a8b358805560cd7da5") or
(hash.sha1(45744, 277834) == "1812f9c0cc91ac3f1b21549ba3345bd388687be8" and hash.sha1(522084, 238540) == "a7634e3dcd5541fa5f7358c81b91bbf9086ab7f9") or
(hash.sha1(45440, 278122) == "572efd9090128cb2ba7cf03a1ef95852b8803d61" and hash.sha1(521784, 238816) == "a229148416fa671c5ee1aa546c5ffef3c8695acc") or
(hash.sha1(45456, 278106) == "01677a4751a36b7c2e85350a0325450d06ddf94b" and hash.sha1(521784, 238816) == "a1bf16e40febb8fae0d61462fb098b3885b48d05") or
(hash.sha1(36704, 270282) == "02f12d6efddb9915ef5e48dc8672e8c49eaf695d" and hash.sha1(508868, 235172) == "0cdb4314624dd23045bf48ecb7e736d4ab452b14") or
(hash.sha1(53088, 270282) == "02f12d6efddb9915ef5e48dc8672e8c49eaf695d" and hash.sha1(525252, 235172) == "0cdb4314624dd23045bf48ecb7e736d4ab452b14") or
hash.sha1(0, 478384) == "dd7e5f9407f670a8ee04ba4b326c70c409db4871" or
hash.sha1(0, 474224) == "166f3d5be9cde70c3bf0a22fbb8365d13d81ca34" or
hash.sha1(0, 450256) == "e6beeb6b32a140904a648fca9dab614d73dcd94c" or
hash.sha1(0, 474224) == "09b03db91357d5a067439d101e81c163f4eba4b0" or
hash.sha1(0, 888864) == "e386145673963ebfedc99665868106ec00e23607" or
hash.sha1(0, 922480) == "bd13d22095d377938c50088e59fa3079143cb0f2" or
(hash.sha1(26160, 264618) == "25cb0ea0b706034409c7439ada832e141a9099cf" and hash.sha1(495056, 232672) == "bdc7c63c90390e7d737c04f37fe068b1d4398931") or
(hash.sha1(24704, 266058) == "e522e55f91c3fe14079fa142b0ffd41a929657c9" and hash.sha1(493628, 234068) == "aaa386881e9f0c210e8c300667c4631b9a32b365") or
(hash.sha1(47920, 275578) == "e29a36bf609f5c1700c91261574bf83757f5d6cc" and hash.sha1(524636, 235708) == "f87ee1e0488fbf3c64ab9cc40bfcef5745357afc") or
(hash.sha1(47616, 275866) == "e2dbe92730b3e06937d5270b21abd8151ba3a504" and hash.sha1(524348, 235988) == "d43f3b412debf84206efc2732a65926681b94e24") or
(hash.sha1(47632, 275850) == "5fb180aefdfa3a3c7163bd37fac7b8eb193e5286" and hash.sha1(524352, 235984) == "0a59d04c27ca3761e71330bcaf3c79e77fe665f3") or
(hash.sha1(22208, 268314) == "757f1e6b691c2e91f5b9fcebacf35edfcc9ce315" and hash.sha1(493612, 233732) == "639f0af300aed26656ac217ce28565f8eaed8d35") or
(hash.sha1(22208, 268314) == "757f1e6b691c2e91f5b9fcebacf35edfcc9ce315" and hash.sha1(493612, 233732) == "639f0af300aed26656ac217ce28565f8eaed8d35") or
hash.sha1(0, 454448) == "e4b84e22214062b57a3f3a81fba5d4ddd163b0bb" or
hash.sha1(0, 474144) == "5c448f6272d63a57c0e7965d09bd93e23a15ee86" or
hash.sha1(0, 888864) == "a15f39ce5007e25e742d071d15c8e38658165e5a" or
hash.sha1(0, 922384) == "cbf08fae71fcd46cc852fad7502685466c40e168" or
(hash.sha1(25584, 264906) == "38ae77158e1ce3079a36303bf45d46246befc753" and hash.sha1(494844, 232940) == "dddb9c37fa39a49c7e17f77ea8176fe0a29e23a2") or
(hash.sha1(24128, 266330) == "da85d3675bbd891f6e7d0269173243adaa1300ff" and hash.sha1(493444, 234284) == "d0fa0e947ab4d51278bc3c2be092918345dc9fc5") or
(hash.sha1(46928, 276282) == "51b695a80c74a0d30d4c614a8ecc605457bb7adc" and hash.sha1(524176, 236216) == "05806c64f585306b25a75ccdb071375ed1c74098") or
(hash.sha1(46624, 276570) == "326e55ae93aeced73be9bf830a574a4ea551b231" and hash.sha1(523872, 236496) == "55efadfed76814a75f11ed255da7ebdf90248a1d") or
(hash.sha1(46656, 276554) == "77b726c10e6d381456704be730c76b5963ff9625" and hash.sha1(523876, 236492) == "4420fede63ed01fd9fd20428d8738b105e8c6e41") or
(hash.sha1(37392, 269162) == "77756fb4720bc7ea364a947df659495a473ff15d" and hash.sha1(509160, 234424) == "dfdab2704a010782a4b0dfd180569c0aa245c866") or
(hash.sha1(53776, 269162) == "77756fb4720bc7ea364a947df659495a473ff15d" and hash.sha1(525544, 234424) == "dfdab2704a010782a4b0dfd180569c0aa245c866") or
hash.sha1(0, 450112) == "21b63689d192a7d1309d98afa35d42f695098d7a" or
hash.sha1(0, 474048) == "509dba18a168fdeecf990704741e14cb17b2a31e" or
hash.sha1(0, 888656) == "3a1665f1b92f1aae4eb44753f5134b3a0ec0a35f" or
hash.sha1(0, 444752) == "4a86f9cd51d9682a67bdd9921542806b9c32eef0" or
hash.sha1(0, 465232) == "5bb4e5bf7bab49945878993ca0faa70f83b732df" or
hash.sha1(0, 465888) == "5266f907da5c8fc78971e848fe89927acce2ba92" or
hash.sha1(0, 465792) == "d6a65d5bb692f5d82f0b1b688e660f1baf857538" or
hash.sha1(0, 922448) == "65e62ef1bd1ae50730974cafee5d8b22b97fa7aa" or
hash.sha1(0, 922448) == "a012a408a9a7108d71d771cb701725fa1894d539" or
hash.sha1(0, 922448) == "23d05530ee621b5f0410c5eac8840c7cf1e512e9" or
hash.sha1(0, 922448) == "2a62d6bcac7b0c5e75f561458e934ec45c77699c" or
(hash.sha1(25248, 264250) == "2d7ec4dcaad429421f2e61e62bbff0ca7cede95a" and hash.sha1(494424, 232080) == "ca15aa3cc18977d93bfc0f751305baaeadd02abc") or
(hash.sha1(24160, 265098) == "457869b75082919b9d44e3f9b3097bc1e2b76c0a" and hash.sha1(493392, 232872) == "6664a7a1399377447c6f4459e71a44aa0e30391e") or
(hash.sha1(45472, 276730) == "f32c2cdad1f8deb30cb235d2d196fb0d8b569dc2" and hash.sha1(521912, 237008) == "97a3e72e5426f7dcd4f40fc759336b0cf7073c10") or
(hash.sha1(45168, 277018) == "cafd8549f9a623c538d5c5b7799449c4121866bf" and hash.sha1(521608, 237288) == "e743db22d055f765d9948e0e66f934b67b7774f9") or
(hash.sha1(45152, 277034) == "81d3729c09971fce700a10e01284610a17003c5b" and hash.sha1(521588, 237308) == "be6313f77dc0de79a8d9e3d718f23cc5f8a7907b") or
(hash.sha1(36384, 269130) == "37bd3a555e23ee2f2792e78b79d30e6a1c0b2f1e" and hash.sha1(507920, 234144) == "fccc75ca700171c8d3fbc1add4b5f972ba0688d0") or
(hash.sha1(52768, 269130) == "37bd3a555e23ee2f2792e78b79d30e6a1c0b2f1e" and hash.sha1(524304, 234144) == "fccc75ca700171c8d3fbc1add4b5f972ba0688d0") or
hash.sha1(0, 955424) == "8d2f1644320ba4f90b2cd23eeca51843168f59b8" or
hash.sha1(0, 955424) == "263b243df32be6d9d9878c459d2fc6491342d547" or
(hash.sha1(52928, 269834) == "5e9380abd57f0f143b119695cba20cf4d98117bd" and hash.sha1(522040, 237840) == "78b2101b6fad4712a6df7905e7d51bbd5208bb48") or
(hash.sha1(51600, 271146) == "d334ecef808a49eb3841c1cdadc6bf1c9d2a6d2b" and hash.sha1(520692, 239156) == "0e0a6f18ddfb9620f9547ab6d4f5fe8fe29d6c1a") or
(hash.sha1(43104, 279610) == "5c1d1d356040ff714838ddb516620fbca71d0b45" and hash.sha1(519864, 239880) == "71c1b3143e3896dca48a674bd2155e6f450c5d61") or
(hash.sha1(42800, 279898) == "4e8afb74fe55b941c8e8eceeb77d8d4bee8e7a4c" and hash.sha1(519560, 240160) == "4b700681cb0a1a62831cdd3f4b5e79205ff11aa5") or
(hash.sha1(42800, 279898) == "627c3801155a14f4b985bf8e8549d9baf16c7da2" and hash.sha1(519564, 240156) == "3742d2860894378a745a8998013e42fcbeda44bf") or
(hash.sha1(33968, 272138) == "3b1254e5401eab70fcba51413a325347a5628ec2" and hash.sha1(506532, 236628) == "492e728422320a33d819b1133c7968b29bf17447") or
(hash.sha1(50352, 272138) == "3b1254e5401eab70fcba51413a325347a5628ec2" and hash.sha1(522916, 236628) == "492e728422320a33d819b1133c7968b29bf17447") or
hash.sha1(0, 450256) == "373d5b73e02899bda6091936efdd768821ba3dd2" or
hash.sha1(0, 474224) == "8d0f391449c0e479c189c10da873d047c2327d5f" or
hash.sha1(0, 888864) == "4db9cd9b165c3d820ab4f456df551e8f03c7a797" or
hash.sha1(0, 465728) == "163a01132cd6c038c8692d4ba5f50681181c74ce" or
hash.sha1(0, 465760) == "68387bf302163de4dcdcc9a7b1bb53d50ecc7256" or
hash.sha1(0, 905696) == "b05c39e48ac7959545028d20acd41010ae5726f4" or
hash.sha1(0, 922384) == "2a6d37160f21ec13aa6c692a3ca3374db3d35e96" or
(hash.sha1(27440, 263226) == "f4ab841ecd1d48e3085ae92b0b1ca8604e85ce83" and hash.sha1(496240, 231608) == "66be42c88520537be247d29f3b117323612dcdfc") or
(hash.sha1(25936, 264682) == "2bb4155dad4a0c6c8eec33e3ae5fd7bfc40d71f6" and hash.sha1(494820, 232972) == "5ec40ea1630d3f919171cf4a1fb64abf83bf9f5a") or
(hash.sha1(49008, 274346) == "ffe4482ab09ad6915bf594aa5b856bdd4e45e1bd" and hash.sha1(525904, 234536) == "b9f835adcc3332ffd4a041397550fbdaa36bfdbb") or
(hash.sha1(48704, 274634) == "2357331346f7bdab42efe34077d4f2cbf0aeeb47" and hash.sha1(525600, 234816) == "395d3290248c761e506f70d2e1517df586f0f4b2") or
(hash.sha1(48736, 274618) == "7b06f11ef35e3303ce0a24a0873e61c24f1a1f44" and hash.sha1(525604, 234812) == "b96a33dfe6f7df8e5af7b3b602750891d19f951e") or
(hash.sha1(23056, 267290) == "dd3b3211c25317d28f9a3ae3f400fe019b4fff4c" and hash.sha1(494756, 232636) == "0cf7e3b710028528974fbddf7791745568866535") or
(hash.sha1(23056, 267290) == "dd3b3211c25317d28f9a3ae3f400fe019b4fff4c" and hash.sha1(494756, 232636) == "0cf7e3b710028528974fbddf7791745568866535") or
hash.sha1(0, 454448) == "0d1cbf5473fab9156922de90a09b7a2e64aef328" or
hash.sha1(0, 474160) == "501bdd880699749ae3a7a6e9c2230f903200fcab" or
hash.sha1(0, 888864) == "976a71300d0c76bdf505e4a70be5e173471d683d" or
hash.sha1(0, 922368) == "1396fdbff38b787d14b1135dcdfc367658669637" or
(hash.sha1(22288, 267866) == "3af51e49dd4401abc6a7a5834b14a448ccce7427" and hash.sha1(491096, 236000) == "6aade93d0c0b34b96525f6ca30ec8de4caa62bce") or
(hash.sha1(53536, 269354) == "8628b9d4fa183c6d3b216a2b4c86ea4dd638bcf6" and hash.sha1(522536, 237272) == "5b1e151c1e216f952bdadf156e3ca14d4568cdc1") or
(hash.sha1(43552, 279306) == "c855d3e10958b6af42db92a3e361d1b27bb94c2d" and hash.sha1(520852, 238836) == "a896bbdbbca929b2e17919171725a2041452a9ec") or
(hash.sha1(43248, 279594) == "be15c2de5a35c24947fd625873d1748d64bfc1fb" and hash.sha1(520548, 239116) == "1d4da70c86c505e8117a2197a8c0ddae6f4ced72") or
(hash.sha1(43248, 279594) == "2673f90a96a4e00dbc2b873a9da32bcc0dbd84be" and hash.sha1(520552, 239112) == "7521b7b36a9276b87ffda4cd1e4be95ec4fdaa27") or
(hash.sha1(34416, 271818) == "7dc98e2010a865259407dd987601a4816f06a7e8" and hash.sha1(506396, 236660) == "4f17547c6c83d106cea576825fe838bbf07c69d1") or
(hash.sha1(50800, 271818) == "7dc98e2010a865259407dd987601a4816f06a7e8" and hash.sha1(522780, 236660) == "4f17547c6c83d106cea576825fe838bbf07c69d1") or
hash.sha1(0, 450256) == "533972a1736426bc23a715eb662e6374c6ea400a" or
hash.sha1(0, 474224) == "db31ba474d8f75437872f5caf275c1dd2609ee89" or
hash.sha1(0, 888864) == "eccacfd1946df9b74c8515aa5b54eab01c7582cb" or
hash.sha1(0, 469936) == "7377d0f081d93eb47ec5e6893e51291895622d91" or
hash.sha1(0, 922688) == "e4b6c56faa97493dc0f0f7c4fc2196096ef66513" or
(hash.sha1(25008, 264890) == "befbd5b2ce01539a857d9332bbba88bae2ac65a1" and hash.sha1(493260, 233572) == "7bb48f16db086713c52b723e0d60495eb813aee2") or
(hash.sha1(23632, 266250) == "450ec6c3f8109bf48bfa35ec8161a257765c17ae" and hash.sha1(491924, 234876) == "38584bebb3271d4a334adea2c6fdcc638c1df55f") or
(hash.sha1(47728, 274922) == "78b279ef031f5aae76a5376922bff5915eaeefb5" and hash.sha1(523088, 236360) == "8eba37d5f875f52c0bc935531cb0bb3f6793c81f") or
(hash.sha1(47424, 275210) == "4281ce5084d7f669374146b405def7872234aaed" and hash.sha1(522788, 236636) == "d45a917cbf21c272e7c8e6dd2148e32392d4939d") or
(hash.sha1(47424, 275210) == "91145c92e2e85d6ed5dd33f6e0c32f84d2f76d02" and hash.sha1(522788, 236636) == "763b985cbc7bb60934e848ca6375cf8dda59f47a") or
(hash.sha1(37296, 268714) == "cecfc085a9108edd47052e5a57e64670b59962eb" and hash.sha1(509452, 233364) == "ed630344a18228c94d6a7b5434757b42f8a7046e") or
(hash.sha1(53680, 268714) == "cecfc085a9108edd47052e5a57e64670b59962eb" and hash.sha1(525836, 233364) == "ed630344a18228c94d6a7b5434757b42f8a7046e") or
hash.sha1(0, 465600) == "d019a86482f03a0012d82a4455212ad36c9c09eb" or
hash.sha1(0, 466240) == "30b7f694684af729619f30567be5443f849a3399" or
hash.sha1(0, 465616) == "26565b29cfdd7de87da708ed45f4ab4799bdbb28" or
hash.sha1(0, 466224) == "de662a98ff4cdfeca3eb95e746d9c253b73ee846" or
hash.sha1(0, 448304) == "509aea0eb79253ced67a045738f1b9c6c84271ad" or
hash.sha1(0, 466272) == "2c1142a9d938e415f23dd40205909686a3c69c51" or
hash.sha1(0, 465600) == "acd00ea03ea2d9a2b43e8b076ee29b71255246b1" or
hash.sha1(0, 466304) == "4ff733254fd4ef6e0df07bcb5215f391437f3592" or
hash.sha1(0, 466224) == "926cc0c45610e286edccfe8104a95a096bfbaab2" or
hash.sha1(0, 465328) == "c4e43c7d6e8aeb39654906a1b8445402b04db355" or
hash.sha1(0, 465328) == "8a4994c138a24960818db2eec5c702acf25b0750" or
hash.sha1(0, 465328) == "fe026ba19524c71dbf70923bde8ca065f5f8e186" or
hash.sha1(0, 465616) == "a898e15d701e50f0c869abf62fab5cfe7854fa70" or
hash.sha1(0, 466240) == "572b4e472e25da27b64b29d40e0bf5f85448bcff" or
hash.sha1(0, 465776) == "74d8f5f5e904637d5b3383291d2d169643dda302" or
hash.sha1(0, 465328) == "df3896ea9f02ed8b4b1e8e13588766fb16b8aab0" or
hash.sha1(0, 465328) == "4a0359acfa8454454f8775ebc235f5bbd47b4d6c" or
hash.sha1(0, 465616) == "49916762bab2816fcd93fb553d5231d320ed1b51" or
(hash.sha1(22416, 268442) == "9c87e5a1281614714986c2fc0e934dbe6b57a746" and hash.sha1(491736, 236240) == "3aab2900d91e10f16a8c699d7f2f49e6ccf83827") or
(hash.sha1(54272, 269322) == "c2db6347040d8d76c85d28fa04e79024e17fc1bd" and hash.sha1(523648, 237064) == "02f286233bbc98aa840ab6b70dbf4f66d462111d") or
(hash.sha1(45744, 277818) == "551275307722b5ef579f5e7da5c9b59e2433f4c9" and hash.sha1(522048, 238560) == "fd16c95286f5f9d1ff87dc93f0417d4a3c35986a") or
(hash.sha1(45440, 278106) == "9ed6803200759a489e1a645ecb68cfbed2ebd166" and hash.sha1(521748, 238836) == "fc033effb80619af879cacae80ca2010b4662a1e") or
(hash.sha1(45456, 278090) == "1e725c6e13618a08164d9614402d9efa9d8c0e59" and hash.sha1(521748, 238836) == "1c432482778154334802e5d25b496690497485f0") or
(hash.sha1(36672, 270266) == "26cf2ce4510cac9f319eaab76b6a7f1425df0c79" and hash.sha1(508820, 235172) == "fbc9bf6bea034248ec8b96bb049af6c70837dbb7") or
(hash.sha1(53056, 270266) == "26cf2ce4510cac9f319eaab76b6a7f1425df0c79" and hash.sha1(525204, 235172) == "fbc9bf6bea034248ec8b96bb049af6c70837dbb7")
)
}
rule XProtect_MACOS_7f5b902
{
meta:
description = "MACOS.7f5b902"
strings:
$a1 = { 2f 71 75 65 72 79 2f 74 6f 3f 71 69 3d 31 26 63 61 74 65 67 6f 72 79 3d 77 65 62 26 61 70 70 5f 69 64 3d }
$a2 = { 2f 69 6e 73 74 61 6c 6c 2f 61 67 65 6e 74 5f 75 70 64 61 74 65 3f 73 65 73 73 69 6f 6e 5f 69 64 3d }
$a3 = { 2f 6d 6f 6e 65 74 69 7a 65 3f 73 65 73 73 69 6f 6e 5f 69 64 3d }
$a4 = { 2f 69 6e 73 74 61 6c 6c 3f 73 65 73 73 69 6f 6e 5f 69 64 3d }
$a5 = { 2f 69 6e 73 74 61 6c 6c 2f 66 69 72 73 74 5f 74 69 6d 65 3f 73 65 73 73 69 6f 6e 5f 69 64 3d }
$a6 = { 2f 74 61 73 6b 2d 66 6f 72 3f 65 6d 69 64 3d }
$b1 = { 26 65 78 74 3d 31 26 7a 3d 35 26 71 75 65 72 79 3d 6d 79 51 75 65 72 79 }
$b2 = { 63 6f 6d 2e 61 70 70 6c 65 2e 71 75 61 72 61 6e 74 69 6e 65 }
$b3 = { 67 65 74 20 76 65 72 73 69 6f 6e 20 6f 66 20 61 70 70 6c 69 63 61 74 69 6f 6e 20 22 53 61 66 61 72 69 22 }
$b4 = { 26 26 69 73 5f 73 65 74 5f 73 70 5f 61 70 70 72 6f 76 65 64 3d }
$b5 = { 26 69 73 5f 69 6e 73 74 61 6c 6c 5f 61 63 63 65 70 74 65 64 3d }
$b6 = { 41 72 65 20 79 6f 75 20 73 75 72 65 20 79 6f 75 20 77 61 6e 74 20 74 6f 20 71 75 69 74 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e 20 3f }
$b7 = { 51 75 69 74 69 6e 67 20 77 69 6c 6c 20 63 61 6e 63 65 6c 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e }
condition:
Macho and ( 1 of ( $a* ) ) and ( 3 of ( $b* ) ) and filesize < 400KB
}
rule XProtect_MACOS_a291b70
{
meta:
description = "MACOS.a291b70"
strings:
$a1 = { 2f 69 6e 73 74 61 6c 6c 2f 61 67 65 6e 74 5f 75 70 64 61 74 65 3f 65 6d 69 64 3d }
$a2 = { 2f 6d 6f 6e 65 74 69 7a 65 3f 73 65 73 73 69 6f 6e 5f 69 64 3d }
$a3 = { 2f 69 6e 73 74 61 6c 6c 3f 73 65 73 73 69 6f 6e 5f 69 64 3d }
$a4 = { 2f 69 6e 73 74 61 6c 6c 2f 66 69 72 73 74 5f 74 69 6d 65 3f 73 65 73 73 69 6f 6e 5f 69 64 3d }
$a5 = { 25 40 3f 65 6d 69 64 3d 25 40 26 61 70 70 49 64 3d 25 40 }
$b1 = { 63 6f 6d 2e 61 70 70 6c 65 2e 71 75 61 72 61 6e 74 69 6e 65 }
$b2 = { 67 65 74 20 76 65 72 73 69 6f 6e 20 6f 66 20 61 70 70 6c 69 63 61 74 69 6f 6e 20 22 53 61 66 61 72 69 22 }
$b3 = { 26 69 73 5f 73 65 74 5f 73 70 5f 61 70 70 72 6f 76 65 64 3d }
$b4 = { 26 69 73 5f 69 6e 73 74 61 6c 6c 5f 61 63 63 65 70 74 65 64 3d }
$b5 = { 26 73 61 66 61 72 69 5f 73 70 5f 73 65 74 3d }
$b6 = { 41 72 65 20 79 6f 75 20 73 75 72 65 20 79 6f 75 20 77 61 6e 74 20 74 6f 20 71 75 69 74 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e 20 3f }
$b7 = { 51 75 69 74 69 6e 67 20 77 69 6c 6c 20 63 61 6e 63 65 6c 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e }
$b8 = { 69 6f 72 65 67 20 2d 6c 20 7c 20 67 72 65 70 20 2d 65 20 4d 61 6e 75 66 61 63 74 75 72 65 72 20 2d 65 20 5c 27 56 65 6e 64 6f 72 20 4e 61 6d 65 5c 27 }
$b9 = { 73 65 61 72 63 68 20 69 73 20 64 65 73 69 67 6e 65 64 20 74 6f 20 70 72 6f 76 69 64 65 20 79 6f 75 20 74 68 65 20 62 65 73 74 20 73 65 61 72 63 68 20 65 78 70 65 72 69 65 6e 63 65 }
$b10 = { 73 65 61 72 63 68 20 72 65 73 75 6c 74 73 20 61 6e 64 20 72 65 63 6f 6d 6d 61 6e 64 61 74 69 6f 6e 73 20 69 6e 20 72 65 61 6c 20 74 69 6d 65 2c 20 65 6e 6a 6f 79 }
condition:
Macho and ( 2 of ( $a* ) ) and ( 4 of ( $b* ) ) and filesize < 500KB
}
rule XProtect_MACOS_30445d1
{
meta:
description = "MACOS.30445d1"
strings:
$a1 = { 23 21 2f 62 69 6e 2f 73 68 }
$a2 = { 23 21 2f 62 69 6e 2f 62 61 73 68 }
$b = { 68 69 6e 74 3d 22 24 28 6c 73 20 7c 20 67 72 65 70 20 2d 76 20 27 31 2e 70 6e 67 5c 7c 32 2e 69 63 6e 73 5c 7c 63 6f 6e 76 65 72 74 65 72 2e 74 6f 6f 6c 5c 7c 73 63 72 69 70 74 2d 65 6e 63 27 29 22 }
$c = { 63 6d 64 3d 22 24 28 6f 70 65 6e 73 73 6c 20 65 6e 63 20 2d 64 20 2d 61 65 73 2d 32 35 36 2d 63 62 63 20 2d 41 20 2d 62 61 73 65 36 34 20 2d 6b 20 24 68 69 6e 74 20 2d 69 6e 20 73 63 72 69 70 74 2d 65 6e 63 20 7c 20 73 68 20 2d 29 22 }
condition:
any of ( $a* ) and $b and $c and filesize < 5MB
}
rule XProtect_MACOS_d4735e3
{
meta:
description = "MACOS.d4735e3"
strings:
$a1 = { 8B B2 C4 67 56 5C 63 42 8E F0 CF C5 F4 8D 87 AE 58 0C 5B A4 14 }
$a2 = { D2 5A C9 65 FE D7 69 C7 A7 3B F9 5E 6A 35 9B 20 20 65 77 E5 14 }
$b1 = { 41 0f b6 55 ?? 49 8d 3c 1f 31 c0 4c 89 e6 e8 ?? ?? ?? ?? 49 ff c5 48 83 c3 ?? 48 83 fb ?? 75 ?? }
$b2 = { 49 89 f5 49 89 fe bf ?? ?? ?? ?? }
$b3 = { 25 30 32 78 00 }
$c = { 0f b6 33 31 c6 40 88 31 48 ff c3 48 ff c1 ff ca 75 ?? }
$d = {
31 ff e8 ?? ?? ?? ?? 89 c7 e8 ?? ?? ?? ?? e8 ??
?? ?? ?? 48 63 c8 48 69 c9 ?? ?? ?? ?? 48 89 ca
48 c1 ea ?? 48 c1 f9 ?? 01 d1 c1 e1 ?? 8d 0c c9
f7 d9 8d 7c 08 ?? e8 ?? ?? ?? ??
}
$e1 = { 30 48 37 42 53 35 34 71 42 66 75 47 37 61 6c 6d 71 66 76 55 37 63 6e 32 35 31 42 6c 6b 4e 43 5a 68 55 70 62 6b 61 6f 30 78 67 71 57 6c 57 77 46 4c 44 42 58 68 37 68 68 44 70 49 47 6b 6b 35 76 6f 42 4d 72 44 33 43 52 33 70 42 44 4b 75 43 70 48 36 4b 6e 6b 49 73 33 37 7a 4d 57 31 47 58 68 39 62 42 32 75 65 57 48 53 71 77 3d }
$e2 = { 75 70 41 63 75 6b 43 31 71 68 50 72 45 45 39 4d 78 6f 42 45 76 37 6d 4d 6d 37 50 59 54 73 61 50 6f 70 6f 55 2b 73 41 49 68 4d 50 74 70 52 4a 55 63 35 57 41 6d 47 4a 38 6a 6c 71 76 6a 7a 63 7a 6f 4e 44 39 32 77 64 71 57 30 33 53 30 65 64 63 6b 33 49 41 50 59 3d 3d }
$e3 = { 4d 31 61 79 42 61 69 39 76 38 72 50 46 41 77 58 74 48 46 59 2f 76 41 54 2b 70 4c 31 64 44 68 62 39 35 36 74 6a 44 63 4e 4d 37 41 3d }
$e4 = { 4d 6c 6b 48 56 64 52 62 4f 6b 72 61 39 73 2b 47 36 35 4d 41 6f 4c 67 61 33 34 30 74 33 2b 7a 6a 2f 75 38 4c 50 66 50 33 68 69 67 3d }
$e5 = { 31 53 69 62 34 48 66 50 75 52 51 6a 70 78 49 70 45 43 6e 78 78 54 50 69 75 33 46 58 4f 46 41 48 4d 78 2f 2b 39 4d 45 56 76 39 4d 2b 68 31 6e 67 56 37 54 35 57 55 50 33 62 30 7a 73 67 30 51 64 }
$f = { 49 4a 4b 4c 4d 4e 4f 50 67 68 69 6a 6b 6c 6d 6e 41 42 43 44 45 46 47 48 51 52 53 54 55 56 57 58 34 35 36 37 38 39 2b 2f 6f 70 71 72 73 74 75 76 59 5a 61 62 63 64 65 66 77 78 79 7a 30 31 32 33 }
condition:
Macho and filesize < 200KB and 1 of ( $a* ) and 1 of ( $b* ) and $c and $d and 2 of ( $e* ) and $f
}
rule XProtect_MACOS_b5bd028
{
meta:
description = "MACOS.b5bd028"
strings:
$a = { 23 21 2f 62 69 6e 2f 62 61 73 68 }
$b1 = { 2f 70 61 72 61 6d 73 4a 73 6f 6e 2e 6a 73 6f 6e }
$b2 = { 2f 2e 52 65 73 6f 75 72 63 65 73 }
condition:
$a at 0 and all of ($b*) and filesize < 1KB
}
rule XProtect_MACOS_d98ded3
{
meta:
description = "MACOS.d98ded3"
strings:
$a1 = { 50 58 ( 90 90 | 90 90 90 | 90 90 90 90 | 90 90 90 90 90 ) 50 58 ( 90 90 | 90 90 90 | 90 90 90 90 | 90 90 90 90 90 ) }
$a2 = { 50 50 58 ( 90 90 | 90 90 90 | 90 90 90 90 | 90 90 90 90 90 ) 58 ( 90 90 | 90 90 90 | 90 90 90 90 | 90 90 90 90 90 ) }
$a3 = { 50 50 50 58 ( 90 90 | 90 90 90 | 90 90 90 90 | 90 90 90 90 90 ) 58 ( 90 90 | 90 90 90 | 90 90 90 90 | 90 90 90 90 90 ) 58 ( 90 90 | 90 90 90 | 90 90 90 90 | 90 90 90 90 90 ) }
$b1 = { 5f 43 46 55 55 49 44 43 72 65 61 74 65 }
$b2 = { 5f 43 46 55 55 49 44 43 72 65 61 74 65 53 74 72 69 6e 67 }
$c1 = { 5f 73 79 73 74 65 6d }
$c2 = { 6c 61 75 6e 63 68 65 64 54 61 73 6b 57 69 74 68 4c 61 75 6e 63 68 50 61 74 68 3a 61 72 67 75 6d 65 6e 74 73 3a }
condition:
Macho and any of ($a*) and all of ($b*) and any of ($c*) and filesize < 5MB
}
rule XProtect_MACOS_9a3e9ed
{
meta:
description = "MACOS.9a3e9ed"
strings:
$a1 = { 55 48 89 e5 [0 - 2] 83 ff 7? 77 3? 89 f8 48 8d 0d ?? 2? 00 00 48 63 04 81 48 01 c8 ff e0 bf 09 00 00 00 e8 ?d 7? 00 00 [30 - 40] 31 (db | c0) }
$a2 = { f4 4f be a9 fd 7b 01 a9 fd 43 00 91 1f dc 01 71 08 ?? ?? 54 [0 - 30] 20 01 80 52 }
$a3 = { 5F 67 65 74 5F 75 70 64 61 74 65 72 5F 63 73 74 72 5F 63 6F 6E 73 74 }
$b1 = { 7b 73 65 61 72 63 68 54 48 }
$b2 = { 2e 6d 79 63 6f 75 70 6f 48 }
$b3 = { 6e 73 6d 61 72 74 73 6d 48 }
$b4 = { 70 72 75 64 65 6e 73 65 48 }
$b5 = { 5f 53 4d 4a 6f 62 53 75 62 6d 69 74 }
$b6 = { 5f 6b 53 4d 44 6f 6d 61 69 6e 53 79 73 74 65 6d 4c 61 75 6e 63 68 64 }
$b7 = { 49 4f 50 6c 61 74 66 6f 72 6d 53 65 72 69 61 6c 4e 75 6d 62 65 72 }
$b8 = { 79 6f 75 67 6f 74 75 70 64 61 74 65 64 }
$b9 = { 2d 6d 65 74 68 6f 64 3d 72 75 6e }
$b10 = { 72 65 74 72 69 65 76 65 4D 61 63 68 69 6E 65 49 64 }
$b11 = { 72 75 6E 41 70 70 6C 65 53 63 72 69 70 74 }
$b12 = { 6D 6F 64 69 66 79 55 73 65 72 44 65 66 61 75 6C 74 73 }
condition:
Macho and filesize < 500KB and ((2 of ($a*)) or (5 of ($b*)))
}
rule XProtect_MACOS_22f03bb
{
meta:
description = "MACOS.22f03bb"
strings:
$a1 = { 63 72 79 70 74 6F 5F 32 20 6C 6F 61 64 }
$a2 = { 68 6F 6F 6B 43 6F 6D 6D 6F 6E }
$a3 = { 6D 79 4F 43 4C 6F 67 3A }
$a4 = { 72 75 6E 53 68 65 6C 6C 57 69 74 68 43 6F 6D 6D 61 6E 64 3A 63 6F 6D 70 6C 65 74 65 42 6C 6F 63 6B }
condition:
Macho and (all of ($a*)) and filesize < 2MB
}
rule XProtect_MACOS_e150543
{
meta:
description = "MACOS.e150543"
strings:
$a1 = { 53 68 65 6c 6c 56 69 65 77 }
$a2 = { 6f 6b 45 76 74 }
$a3 = { 63 6c 6f 73 65 45 76 74 }
$a4 = { 63 61 6e 63 65 6c 45 76 74 }
$a5 = { 72 75 6e 4d 6f 64 61 6c 3a }
$a6 = { 4f 70 74 3a }
$a7 = { 63 72 61 62 73 3a }
$a8 = { 54 6d 70 3a }
condition:
Macho and 3 of them and filesize < 200KB
}
rule XProtect_MACOS_efb903b
{
meta:
description = "MACOS.efb903b"
strings:
$a = { 5f 64 69 73 70 61 74 63 68 5f 61 73 79 6e 63 }
$b1 = { 43 44 44 53 4d 61 63 42 61 73 65 49 6e 66 6f }
$b2 = {
68 74 74 70 3a 2f 2f 63
67 69 31 2e 61 70 6e 69
63 2e 6e 65 74 2f 63 67
69 2d 62 69 6e 2f 6d 79
2d 69 70 2e 70 68 70
}
$c = { 25 40 2f 4d 47 44 2f }
$d1 = {
44 72 69 76 65 43 72 65
64 73
}
$d2 = {
67 65 74 44 72 69 76 65
54 6f 4d 65 6d 6f 72 79
}
$d3 = {
63 68 65 63 6b 44 72 69
76 65 43 6d 64 46 69 6c
65 4c 69 73 74
}
condition:
Macho and filesize < 2MB and
all of ($a*) and
(any of ($b*) or all of ($c*)) and
2 of ($d*)
}
rule XProtect_snowdrift {
meta:
description = "SNOWDRIFT"
strings:
$a = {
68 74 74 70 73 3a 2f 2f
61 70 69 2e 70 63 6c 6f
75 64 2e 63 6f 6d 2f 67
65 74 66 69 6c 65 6c 69
6e 6b 3f 70 61 74 68 3d
25 40 26 66 6f 72 63 65
64 6f 77 6e 6c 6f 61 64
3d 31
}
$b = {
2d 5b 4d 61 6e 61 67 65
6d 65 6e 74 20 69 6e 69
74 43 6c 6f 75 64 3a 61
63 63 65 73 73 5f 74 6f
6b 65 6e 3a 5d
}
$c = {
2a 2e 64 6f 63 3b 2a 2e
64 6f 63 78 3b 2a 2e 78
6c 73 3b 2a 2e 78 6c 73
78 3b 2a 2e 70 70 74 3b
2a 2e 70 70 74 78 3b 2a
2e 68 77 70 3b 2a 2e 68
77 70 78 3b 2a 2e 63 73
76 3b 2a 2e 70 64 66 3b
2a 2e 72 74 66 3b 2a 2e
61 6d 72 3b 2a 2e 33 67
70 3b 2a 2e 6d 34 61 3b
2a 2e 74 78 74 3b 2a 2e
6d 70 33 3b 2a 2e 6a 70
67 3b 2a 2e 65 6d 6c 3b
2a 2e 65 6d 6c 78
}
condition:
Macho and 2 of them
}
rule XProtect_MACOS_da36796
{
meta:
description = "MACOS.da36796"
strings:
$ = { 4d 65 74 61 49 6e 73 74 61 6c 6c 65 72 }
$ = { 53 69 6c 65 6e 74 49 6e 73 74 61 6c 6c 65 72 57 69 6e 64 6f 77 }
$ = { 69 6e 73 74 61 6c 6c 65 72 2e 70 6c 69 73 74 }
$ = { 6d 65 74 61 64 61 74 61 55 52 4c }
$ = { 72 65 70 6f 72 74 55 52 4c }
condition:
Macho and all of them and filesize < 1MB
}
rule XProtect_MACOS_KEYSTEAL_A
{
meta:
description = "MACOS.KEYSTEAL.A"
strings:
$ = { 64 61 74 61 3A 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 2D 61 70 70 6C 65 2D 61 73 70 65 6E 2D 6D 6F 62 69 6C 65 70 72 6F 76 69 73 69 6F 6E 3B 62 61 73 65 36 34 2C 25 40 }
$ = { 00 6E 65 77 64 65 76 00 6E 65 77 69 64 00 67 6F 67 6F 67 6F 00 }
$ = { 7B 22 64 61 74 61 22 3A 22 25 40 22 7D }
condition:
Macho and all of them and filesize < 1MB
}
rule XProtect_HONKBOX_A
{
meta:
description = "MACOS.HONKBOX.A"
strings:
$ = { 65 34 70 70 67 7a 75 65 71 6a 69 61 6d 33 71 76 68 7a 66 66 77 72 61 61 6b 76 63 67 7a 72 6a 70 35 64 7a 6c 33 78 7a 76 32 34 77 36 71 35 72 6a 72 37 6b 71 2e 62 33 32 2e 69 32 70 }
$ = { 69 67 6e 6b 62 70 66 71 75 68 62 36 36 68 67 37 34 64 74 6b 69 71 69 65 74 79 6d 6d 68 63 33 78 77 63 66 77 70 73 70 62 37 36 62 34 77 64 61 64 76 32 63 71 2e 62 33 32 2e 69 32 70 }
$ = { 70 61 6b 6e 68 33 69 66 6b 33 6d 6a 32 67 71 35 77 36 67 62 66 7a 78 77 61 32 6e 64 36 71 6c 65 6b 6c 77 33 37 72 6c 7a 6f 63 71 69 70 71 37 71 34 6c 63 61 2e 62 33 32 2e 69 32 70 }
$ = { 68 67 68 73 66 6b 72 61 74 35 64 64 37 69 6b 71 7a 6b 33 64 33 68 35 6a 61 74 74 6a 78 6c 72 75 36 7a 6d 78 7a 78 64 37 79 33 77 69 62 36 67 6f 6f 64 6d 71 2e 62 33 32 2e 69 32 70 }
$ = { 6a 69 61 73 69 6c 33 61 37 6b 63 78 69 74 75 34 73 77 6c 69 78 62 6e 79 74 36 77 62 62 6d 36 35 6b 71 6b 6e 71 6b 6e 6e 76 6b 6a 32 79 76 6a 37 6c 6c 69 71 2e 62 33 32 2e 69 32 70 }
condition:
Macho and any of them and filesize < 200MB
}
rule XProtect_HONKBOX_B
{
meta:
description = "MACOS.HONKBOX.B"
strings:
$ = { 42 41 53 45 36 34 42 4c 4f 42 3d 22 58 51 41 41 67 41 44 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f }
$ = { 42 41 53 45 36 34 42 4c 4f 42 20 7c 20 62 61 73 65 36 34 20 2d 6f 20 22 }
$ = { 52 41 4e 44 4f 4d 20 25 20 31 30 30 30 }
condition:
Macho and all of them and filesize < 100MB
}
rule XProtect_HONKBOX_C
{
meta:
description = "MACOS.HONKBOX.C"
strings:
$ = { 50 4c 44 3d 22 58 51 41 41 67 41 44 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f }
$ = { 65 63 68 6f 20 24 50 4c 44 20 7c 20 62 61 73 65 36 34 20 2d 64 20 3e 20 22 }
$ = { 52 41 4e 44 4f 4d 20 25 20 31 30 30 30 }
condition:
Macho and all of them and filesize < 5MB
}
rule XProtect_MACOS_44db411
{
meta:
description = "MACOS.44db411"
gk_first_launch_only = true
match_type = 2
strings:
$a1 = { 2F 55 73 65 72 73 2F 25 40 2F 4C 69 62 72 61 72 79 2F 41 70 70 6C 69 63 61 74 69 6F 6E 20 53 75 70 70 6F 72 74 2F 53 6D 61 72 74 20 4D 61 63 20 43 61 72 65 2F 6C 69 63 65 6E 73 65 69 6E 66 6F 2E 70 6C 69 73 74 }
$b1 = { 69 73 45 78 70 69 72 65 64 4C 69 63 65 6E 73 65 }
$b2 = { 69 73 56 61 6C 69 64 4C 69 63 65 6E 73 65 }
$b3 = { 69 73 4D 6F 72 65 4C 69 63 65 6E 73 65 }
$b4 = { 69 73 4B 65 79 73 49 6E 63 6F 72 72 65 63 74 }
$b5 = { 64 61 79 73 52 65 6D 61 69 6E 69 6E 67 }
$c1 = { 63 6F 6D 2E 74 75 6E 65 75 70 6D 79 6D 61 63 }
condition:
Macho and
filesize < 8MB and
all of them
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment