Yara Rule - MacOS의 의심스러운 파일 (가능한 맬웨어 지속성)

Yara Rule - MacOS의 의심스러운 파일 (가능한 맬웨어 지속성)

Yara 정의.

Yara Rule - Suspicious PLIST files in MacOS (possible malware persistence)

Yara definition.

Author: John Lambert @JohnLaTwC

https://objective-see.com/blog/blog_0x3A.html

date = "2018-12-14"
modified = "2023-05-11"
hash1 = "0541fc6a11f4226d52ae3d4158deb8f50ed61b25bb5f889d446102e1ee57b76d"
hash2 = "6cc6abec7d203f99c43ce16630edc39451428d280b02739757f17fd01fc7dca3"
$fp3 = "video/mp4;base64"
$fp4 = "<key>Content-Length</key>"
$fp5 = "<string>yara</string>"
$fp6 = "<key>Frameworks/base64.framework</key>" ascii /* Webex */
$fp7 = "<key>Headers/base64.h</key>" ascii /* Webex */
$fp8 = "database64" ascii fullword
$fp9 = "<!-- last arg will be replaced by the installer script -->" ascii
$fp10 = "<key>/usr/local/bin/python</key>"
$fp11 = "<key>/usr/bin/ruby</key>"```


[https://github.com/Neo23x0/signature-base/commit/497d90f03abda76953d569aa3204c4d8b66cc1c8](https://github.com/Neo23x0/signature-base/commit/497d90f03abda76953d569aa3204c4d8b66cc1c8)