[ SEA-GHOST MINI SHELL]

Path : /usr/local/scan/lw-yara/includes/
FILE UPLOADER :
Current File : //usr/local/scan/lw-yara/includes/404-shell-032118.yar

/*
   Yara Rule Set
   Author: Brian Laskowski
   Date: 2018-08-19
   Identifier: shell2
   Reference: https://github.com/Hestat/lw-yara/
*/

/* Rule Set ----------------------------------------------------------------- */

rule infected_08_19_18_shell2_404 {
   meta:
      description = "shell2 - file 404.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara/"
      date = "2018-08-19"
      hash1 = "4b4a78553e8c9f03c0713bed9059d828bb8d7512b3404482993df4cfa4d28d13"
   strings:
      $s1 = "<?php $MZz9092 = \"tr7_zj13lp)f4hd0ny;8suwqi529.mk6/o*avebx(cg\";$AI2908 = $MZz9092[9].$MZz9092[1].$MZz9092[37].$MZz9092[42].$MZ" ascii
      $s2 = "zzsW/EH6uL3xjfBfPQlftp+p89WMv+6Yv6O3J38v/ae4fybwPeeXkYlhf+/K87ycD5C//gI+OIFneb4lfFH+/0t9VeG/G+tzYH2Tvwf+92j9Xfze1FeTD/Ig/CH9Hzv3" ascii
      $s3 = "C72/D3k+ntBfiZeE/5/wKfJz+X6xz3l+4sOmP7Fmpjo/R/GfhKeQP9zZD1HzbNW3qdcup0X/dzU/Ef+Hd38G9fcF80/Ndx7Jj2yK9P23fgx/VvsFTPBv8C+hf63HxV/Z" ascii
      $s4 = "GLXvx9TfOH9e81z0a/g3m58gf2z8LZ1/zD6Un0Bl3Q/4zAv8m5i/nOGXB/+//H/ly6X/fkkdKX4a/FB6pRZ/JK2v9Id3PvU18yPt/yN9/sr6NdVjk3EW+/PH/dllfx/6" ascii
      $s5 = "5fl98meNj6n+lP7A+Ve1+6VH/BHIs9jjryN/F9ff0bcW5Fdea+cq4meyeJijF0b/IH9Uz190/l7Ql0ufUJ3Qd5NTkXn19I+t9Q3KH7V+0v4F66x/g+e9Gp0POpifuOiv" ascii
      $s6 = "5y/8t+APXfFndX1k/pD1NfDrj/AirC9f53rW/TzY0xd+gOZnqoepd1UHwmGGn1mgv+X5nuFXRL0QNa39h9DvDNR/HfNoeH3C7/ExEX56WvwR8V87gHeW8FtUZ4hfOdnn" ascii
      $s7 = "+W+zyvzBifnejhxE8B/hquCvzqfTPV2jzxHuVHOe/If8zxL+BhmUnP8xX5e+r0S/LP3PFj7PVfP7Af5CBX879WPX9/lS5/zZbkz/bvOrNE9YWR9nf7vMBxf/s3QdKf6e" ascii
      $s8 = "576jPpc+wfWg8tmPC3+F/q1f6jvlP6uv2/Ne28UfCT5CnI/xPXee15i/B15mfzdy6+GPp7/5ivf77m9pv2bPGslXGbhfwn8o7h/8xXVuznc6uqkS/Fz4Cvh9J/2H9T/C" ascii
      $s9 = "SP/SF/vTMP8wDx3930h+b/K75edlf07ze5d80Zp8pszHHFfov1TfZn62/UGv5GO7/+rND+LzjS38KvTR7lsr51On/uj+xj7LmX94dj6N/eejPnmkXhAfXfNn+g/zv52P" ascii
      $s10 = "Z978yv6R3hV+GvlLB/z7OvON0h+lQJ+99Pf+/OvMb7P+Zf3hPf+KfIOj9U/2R7b/TMP8wJ4j+J+N7o/vdubnhu4/87Vq9Mua3z3ij6acw9J+XzX4gu7/ltpUGAv+VJXr" ascii
   condition:
      ( uint16(0) == 0x3f3c and
         filesize < 100KB and
         ( all of them )
      ) or ( all of them )
}

SEA-GHOST - SHELL CODING BY SEA-GHOST