Yara Rule - MacOS의 의심스러운 파일 (가능한 맬웨어 지속성)
Yara 정의.
Yara Rule - Suspicious PLIST files in MacOS (possible malware persistence)
Yara definition.
Author: John Lambert @JohnLaTwC
https://objective-see.com/blog/blog_0x3A.html
$http2 = "680074007400700073003a002f002f00" nocase
$http3 = "6600740070003a002f002f00" nocase
uint32be(0) == 0x7B5C7274 and $obj and $doc and $wsdl and 1 of ($http*)
score = 40
date = "2017-08-29"
modified = "2023-10-19"
$a1 = "certutil -decode " ascii wide
$a2 = "certutil -decode " ascii wide
$a3 = "certutil.exe -decode " ascii wide
$a4 = "certutil.exe -decode " ascii wide
$a5 = "certutil -urlcache -split -f http" ascii wide
$a6 = "certutil.exe -urlcache -split -f http" ascii wide
$fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
date = "2018-12-14"
modified = "2023-10-19"
old_rule_name = "gen_malware_MacOS_plist_suspicious"
hash1 = "0541fc6a11f4226d52ae3d4158deb8f50ed61b25bb5f889d446102e1ee57b76d"
hash2 = "6cc6abec7d203f99c43ce16630edc39451428d280b02739757f17fd01fc7dca3"
hash8 = "c449f8115b4b939271cb92008a497457e1ab1cf2cbd8f4b58f7ba955cf5624f0"
hash9 = "cdb2fb9c8e84f0140824403ec32a2431fb357cd0f184c1790152834cc3ad3c1b"
$sr1 = "PropertyList-"
$sr2 = "<plist"
$p1 = "python" ascii
$p2 = "<string>-c" ascii
$v0 = /\<string\>[\/|\w]{0,20}\+[\/|\+|=|\w]{59,80}\<\/string\>/
$fp10 = "<key>/usr/local/bin/python</key>"
$fp11 = "<key>/usr/bin/ruby</key>"
and uint32be(0) == 0x3c3f786d
score = 0
(uint32be(0) == 0x44434d01 and // magic: DCM PA30
uint32be(4) == 0x50413330)```
[https://github.com/Neo23x0/signature-base/commit/5b34a20bbb9ca9b30ecc0d422785e8100a77aa9e](https://github.com/Neo23x0/signature-base/commit/5b34a20bbb9ca9b30ecc0d422785e8100a77aa9e)