2015-01-18 21:27:53 +03:00
|
|
|
{
|
|
|
|
"name": "Shellshock IOCs (nginx and more)",
|
2015-05-28 18:40:11 +03:00
|
|
|
"target": "environment->>'os' IN ('linux','darwin') AND mode='daemon'",
|
2015-01-18 21:27:53 +03:00
|
|
|
"threat": {
|
|
|
|
"family": "malware",
|
|
|
|
"level": "high"
|
|
|
|
},
|
|
|
|
"operations": [
|
|
|
|
{
|
|
|
|
"module": "file",
|
|
|
|
"parameters": {
|
|
|
|
"searches": {
|
|
|
|
"iocs": {
|
|
|
|
"paths": [
|
|
|
|
"/usr/bin",
|
|
|
|
"/usr/sbin",
|
|
|
|
"/bin",
|
|
|
|
"/sbin",
|
|
|
|
"/tmp",
|
|
|
|
"/var/tmp"
|
|
|
|
],
|
2015-12-16 11:34:56 +03:00
|
|
|
"sha2": [
|
2015-01-18 21:27:53 +03:00
|
|
|
"73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489",
|
|
|
|
"ae3b4f296957ee0a208003569647f04e585775be1f3992921af996b320cf520b",
|
|
|
|
"2d3e0be24ef668b85ed48e81ebb50dce50612fb8dce96879f80306701bc41614",
|
|
|
|
"2ff32fcfee5088b14ce6c96ccb47315d7172135b999767296682c368e3d5ccac",
|
|
|
|
"1f5f14853819800e740d43c4919cc0cbb889d182cc213b0954251ee714a70e4b",
|
|
|
|
"2bc9a2f7374308d9bb97b8d116177d53eaca060b562f6f66f5dd1af71c9d7a66"
|
|
|
|
],
|
|
|
|
"contents": [
|
|
|
|
"/bin/busybox;echo -e '\\\\147\\\\141\\\\171\\\\146\\\\147\\\\164'",
|
|
|
|
"legend.rocks"
|
|
|
|
],
|
|
|
|
"names": [
|
|
|
|
"legend.txt"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"module": "netstat",
|
|
|
|
"parameters": {
|
|
|
|
"connectedip": [
|
|
|
|
"108.162.197.26",
|
|
|
|
"162.253.66.76",
|
|
|
|
"89.238.150.154",
|
|
|
|
"198.46.135.194",
|
|
|
|
"166.78.61.142",
|
|
|
|
"23.235.43.31",
|
|
|
|
"54.228.25.245",
|
|
|
|
"23.235.43.21",
|
|
|
|
"23.235.43.27",
|
|
|
|
"198.58.106.99",
|
|
|
|
"23.235.43.25",
|
|
|
|
"23.235.43.23",
|
|
|
|
"23.235.43.29",
|
|
|
|
"108.174.50.137",
|
|
|
|
"201.67.234.45",
|
|
|
|
"128.199.216.68",
|
|
|
|
"75.127.84.182",
|
|
|
|
"82.118.242.223",
|
|
|
|
"24.251.197.244",
|
|
|
|
"166.78.61.142",
|
|
|
|
"119.110.98.93",
|
|
|
|
"2.0.1.5"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"description": {
|
|
|
|
"author": "Julien Vehent",
|
|
|
|
"email": "ulfr@mozilla.com",
|
|
|
|
"revision": 201410031030
|
|
|
|
},
|
|
|
|
"syntaxversion": 2
|
|
|
|
}
|
|
|
|
|