signature-base/yara/apt_webshell_chinachopper.yar


rule ChinaChopper_Generic {
	meta:
		description = "China Chopper Webshells - PHP and ASPX"
		author = "Florian Roth"
		reference = "https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf"
		date = "2015/03/10"
	strings:
		$aspx = /%@\sPage\sLanguage=.Jscript.%><%eval\(RequestItem\[.{,100}unsafe/
		$php = /<?php.\@eval\(\$_POST./
	condition:
		1 of them
}
First Signature Set 2016-02-15 09:22:28 +00:00
			`rule ChinaChopper_Generic {`
			`meta:`
			`description = "China Chopper Webshells - PHP and ASPX"`
			`author = "Florian Roth"`
			`reference = "https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf"`
			`date = "2015/03/10"`
			`strings:`
			`$aspx = /%@\sPage\sLanguage=.Jscript.%><%eval\(RequestItem\[.{,100}unsafe/`
			`$php = /<?php.\@eval\(\$_POST./`
			`condition:`
			`1 of them`
			`}`