There is no description at this point.
rule elf_persirai_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects elf.persirai." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 57 56 53 81ec0c280000 8bac2428280000 81bc2424280000ff270000 7779 } // n = 7, score = 100 // 57 | push edi // 56 | push esi // 53 | push ebx // 81ec0c280000 | sub esp, 0x280c // 8bac2428280000 | mov ebp, dword ptr [esp + 0x2828] // 81bc2424280000ff270000 | cmp dword ptr [esp + 0x2824], 0x27ff // 7779 | ja 0x7b $sequence_1 = { 31c0 81c4a4000000 5b 5e c3 89e2 } // n = 6, score = 100 // 31c0 | xor eax, eax // 81c4a4000000 | add esp, 0xa4 // 5b | pop ebx // 5e | pop esi // c3 | ret // 89e2 | mov edx, esp $sequence_2 = { 894108 c7411420000000 5b 5e c3 } // n = 5, score = 100 // 894108 | mov dword ptr [ecx + 8], eax // c7411420000000 | mov dword ptr [ecx + 0x14], 0x20 // 5b | pop ebx // 5e | pop esi // c3 | ret $sequence_3 = { 57 56 53 83ec0c 89c7 be???????? } // n = 6, score = 100 // 57 | push edi // 56 | push esi // 53 | push ebx // 83ec0c | sub esp, 0xc // 89c7 | mov edi, eax // be???????? | $sequence_4 = { 53 e8???????? 66c744241c0200 83c410 eb16 66833b02 7410 } // n = 7, score = 100 // 53 | push ebx // e8???????? | // 66c744241c0200 | mov word ptr [esp + 0x1c], 2 // 83c410 | add esp, 0x10 // eb16 | jmp 0x18 // 66833b02 | cmp word ptr [ebx], 2 // 7410 | je 0x12 $sequence_5 = { 56 53 83ec0c 89c7 be???????? } // n = 5, score = 100 // 56 | push esi // 53 | push ebx // 83ec0c | sub esp, 0xc // 89c7 | mov edi, eax // be???????? | $sequence_6 = { 83ec10 8b5c2418 ff74241c 53 e8???????? 83c410 83caff } // n = 7, score = 100 // 83ec10 | sub esp, 0x10 // 8b5c2418 | mov ebx, dword ptr [esp + 0x18] // ff74241c | push dword ptr [esp + 0x1c] // 53 | push ebx // e8???????? | // 83c410 | add esp, 0x10 // 83caff | or edx, 0xffffffff $sequence_7 = { 89c3 8b8424b4000000 8944241c 8b8424b8000000 89442420 8b8424bc000000 89442424 } // n = 7, score = 100 // 89c3 | mov ebx, eax // 8b8424b4000000 | mov eax, dword ptr [esp + 0xb4] // 8944241c | mov dword ptr [esp + 0x1c], eax // 8b8424b8000000 | mov eax, dword ptr [esp + 0xb8] // 89442420 | mov dword ptr [esp + 0x20], eax // 8b8424bc000000 | mov eax, dword ptr [esp + 0xbc] // 89442424 | mov dword ptr [esp + 0x24], eax $sequence_8 = { 8b542418 89d0 83c41c c3 56 53 83c8ff } // n = 7, score = 100 // 8b542418 | mov edx, dword ptr [esp + 0x18] // 89d0 | mov eax, edx // 83c41c | add esp, 0x1c // c3 | ret // 56 | push esi // 53 | push ebx // 83c8ff | or eax, 0xffffffff $sequence_9 = { d1fa 0fb68292810508 c3 55 57 56 53 } // n = 7, score = 100 // d1fa | sar edx, 1 // 0fb68292810508 | movzx eax, byte ptr [edx + 0x8058192] // c3 | ret // 55 | push ebp // 57 | push edi // 56 | push esi // 53 | push ebx condition: 7 of them and filesize < 229376 }
rule elf_persirai_w0 { meta: description = "Detects Persirai Botnet Malware" soure = "http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/" author = "Tim Yeh" reference = "Internal Research" date = "2017-04-21" hash = "f736948bb4575c10a3175f0078a2b5d36cce1aa4cd635307d03c826e305a7489" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai" malpedia_version = "20170509" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "ftpupload.sh" fullword ascii $x2 = "/dev/misc/watchdog" fullword ascii $x3 = "/dev/watchdog" ascii $x4 = ":52869/picsdesc.xml" fullword ascii $x5 = "npxXoudifFeEgGaACScs" fullword ascii $s1 = "ftptest.cgi" fullword ascii $s2 = "set_ftp.cgi" fullword ascii $s3 = "2580e538f3723927f1ea2fdb8d57b99e9cc37ced1" fullword ascii $s4 = "023ea8c671c0abf77241886465200cf81b1a2bf5e" fullword ascii condition: uint16(0) == 0x457f and filesize < 300KB and ((1 of ($x*) and 1 of ($s*)) or 2 of ($s*)) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY