Comments (6)
Neo23x0
commented on August 22, 2024
Interesting - these are the strings and all of them have to match to trigger the rule.
The utility was bundled with a hack tool set.
Looking at the string I guessed that is malicious too. I have no idea if I should mark this as false positive or not. I'll start a run on a goodware set to see if the tool is benign.
strings:
$s0 = "or: %s -r [host.tty]" fullword ascii
$s1 = "%s: process: character, ^x, or (octal) \\032 expected." fullword ascii
$s2 = "Type \"screen [-d] -r [pid.]tty.host\" to resume one of them." fullword ascii
$s6 = "%s: at [identifier][%%|*|#] command [args]" fullword ascii
$s8 = "Slurped only %d characters (of %d) into buffer - try again" fullword ascii
$s11 = "command from %s: %s %s" fullword ascii
$s16 = "[ Passwords don't match - your armor crumbles away ]" fullword ascii
$s19 = "[ Passwords don't match - checking turned off ]" fullword ascii
condition:
all of them
from loki.
Neo23x0
commented on August 22, 2024
Could you run the tool and see what it does?
Should be a hack tool / port scanner if the signature matches.
My research shows unambiguous results:
90af44cbb1c8a637feda1889d301d82fff7a93b0c1a09534909458a64d8d8558 - LinuxHacktool_eyes_screen - FILE
RESULT: 27 / 54
7347970e3f929177210bb70ae3754d99ea1acc312be11d0cd33c6d2cb33748e5 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 56
7ade70b102fb0724ec97a061ecf8485291bf613912687ae59808cb8e1e519ab9 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 54
68e374d974432fceb6a5984f49b9dd801b5dbdc73371c111310bf5dd379f228b - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 56
f4c257104f65e46b130fbe2b60a0e8f541a1af1fae8b1c59902086996bdfc171 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 54
ce529b5bea7a570ece323d8ca8d4325cbae31e33647a938510a73efa786aea84 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 56
51ad92fa411567c4b7d67e38ffd60e7cbd8b77097c3d6c2947c024d913df7335 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 54
4c5dc56d0110670ac048774400b2a85ddcaf0aea109600f2dcae9e29b1d8559f - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 56
8ffa0b9614ec465d758ddce43e961886b9b7c19f8a941d0e9f89eb91ca1c4fe2 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 56
4da0e535c36c0c52eaa66a5df6e070c52e7ddba13816efc3da5691ea2ec06c18 - LinuxHacktool_eyes_screen - FILE
RESULT: 32 / 57
e395ca5f932419a4e6c598cae46f17b56eb7541929cdfb67ef347d9ec814dea3 - LinuxHacktool_eyes_screen - FILE
RESULT: 32 / 56
5f80bd2db608a47e26290f3385eeb5bfc939d63ba643f06c4156704614def986 - LinuxHacktool_eyes_screen - FILE
RESULT: 31 / 55
c4524644014ca6b22261fa69f98ad3fdec067d9c197ae34bf01752e152590029 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 57
10d515305aa9db8a95ec6a5d325746f1c383e6d99b5134d768adfceb319165c4 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 58
85542cbdd62491d73deda0628565b3a7e3d14c2c0cfdce394a64dc95f64ea427 - LinuxHacktool_eyes_screen - FILE
RESULT: 0 / 55
from loki.
Neo23x0
commented on August 22, 2024
OK, I replaced the rule with better ones.
You could scan again with an updated signature-base.
Neo23x0/signature-base@dd4cb5d
from loki.
BrianCrosby34
commented on August 22, 2024
OK, have run a scan on /usr with 15.2 and the new sig base. That match is gone, these though have shown up instead.
,Scanning /usr ...
20160403T07:30:34Z,s-MacBook-Pro.local,NOTICE,Yara Rule MATCH: Cloaked_as_JPG TYPE: GZIP DESCRIPTION: Detects a cloaked file as JPG FILE: /usr/share/cups/ipptool/color.jpg FIRST_BYTES: 1f8b08008aad11510203ecb87554d4cffff8fb5a / QuTZ MD5: c1009419741729cd00ef3a5ecc0adbcc SHA1: d2197fe6f11c418aa712b96524aa632081ec020e SHA256: 8bfb6cc965792621615907afc7372410a021e91d0c829d863ba20f55dfa58839 MATCHES:
20160403T07:30:39Z,s-MacBook-Pro.local,NOTICE,Yara Rule MATCH: Cloaked_as_JPG TYPE: GZIP DESCRIPTION: Detects a cloaked file as JPG FILE: /usr/share/cups/ipptool/gray.jpg FIRST_BYTES: 1f8b0800a62f714e02039cba073cd5efff37fe36 / /qN<76 MD5: 0c1332067154dd6dd8a17bb9a4fd8161 SHA1: 10c15a8c16c9712991c9e0396172578ff5cc034d SHA256: 995089ff7e5e3c03430910e66251074f1615ccf164307feee03f2959f14cb506 MATCHES:
20160403T07:30:40Z,s-MacBook-Pro.local,NOTICE,Yara Rule MATCH: Cloaked_as_JPG TYPE: GZIP DESCRIPTION: Detects a cloaked file as JPG FILE: /usr/share/cups/ipptool/testfile.jpg FIRST_BYTES: 1f8b0800cf5265480203ecba55505c41d7363ab8 / ReHUP\A6: MD5: cf45166223e626d143d9b2113aff7e65 SHA1: 19254ce0a3cc984ee4f2cf10dadf8f0568187a11 SHA256: b99adc3de6526722974c17a2f28c6e5b52232acf34b79ac0d93d890ace8b660c MATCHES:
20160403T07:40:13Z,s-MacBook-Pro.local,RESULT,SYSTEM SEEMS TO BE CLEAN.
from loki.
Neo23x0
commented on August 22, 2024
That's good news.
The "Notice" level messages are false positives but I don't want to change the signature. It's true that those JPG files are in fact GZIP files. We often found that attackers used JPG cloaking to hide their EXE, ZIP, RAR files.
from loki.
BrianCrosby34
commented on August 22, 2024
Excellent, I'll close this then.
from loki.
Related Issues (20)
- Suggestion about file skipping due to file size HOT 4
- gen_gcti_cobaltstrike.yar is considered a trojan by kaspersky HOT 1
- Loki scans whole C:/ even with path argument HOT 1
- False positive
- Add YARA repositories manually HOT 2
- Security vulnerabilities in Python dependencies HOT 3
- Installing and running on Linux OS HOT 1
- Force mdmp scan for yara check
- Path issue on Linux with IOCs residing in Windows root folder
- seems that the scanner picks the edge browser HOT 3
- Module not Found rfc5424logging HOT 3
- Loki Flags Nuclei Templates with "WARNING"
- False positive in hacktool_windows_mimikatz_modules rule? HOT 1
- 22 | #include <openssl/asn1.h>
- To find c2 server malicious IP and domains HOT 1
- Generic.Bat.Downloader.1.DDAD1A80 when running upgrade.exe
- False positive (warning) in com.apple.declarations.plist (part of iMazing software)
- Error while initializing Yara rule yara_mixed_ext_vars.yar
- Error while initializing Yara rule thor_inverse_matches.yar
- (Feature) MD5/SHA1/SHA256 whitelist for false alarm files HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from loki.