New Crypto Coin miner rule

2024-11-06 10:05:18 +00:00 · 2019-02-02 17:14:17 +01:00 · 2019-02-02 17:14:17 +01:00 · 0ee2f3d05f
commit 0ee2f3d05f
parent 925aed89f5
1 changed files with 17 additions and 0 deletions
--- a/yara/pua_cryptocoin_miner.yar
+++ b/yara/pua_cryptocoin_miner.yar
@ -27,3 +27,20 @@ rule CoinHive_Javascript_MoneroMiner {
   condition:
      filesize < 65KB and 1 of them
 }
+
+rule PUA_CryptoMiner_Jan19_1 {
+   meta:
+      description = "Detects Crypto Miner strings"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2019-01-31"
+      hash1 = "ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05"
+   strings:
+      $s1 = "Stratum notify: invalid Merkle branch" fullword ascii
+      $s2 = "-t, --threads=N       number of miner threads (default: number of processors)" fullword ascii
+      $s3 = "User-Agent: cpuminer/" ascii
+      $s4 = "hash > target (false positive)" fullword ascii
+      $s5 = "thread %d: %lu hashes, %s khash/s" fullword ascii
+   condition:
+      filesize < 1000KB and 1 of them
+}