SYMBOLCOMMON_NAMEaka. SYNONYMS
osx.mami (Back to overview)

MaMi


There is no description at this point.

References
2018-01-11Objective-SeePatrick Wardle
Ay MaMi
MaMi
Yara Rules
[TLP:WHITE] osx_mami_w0 (20180114 | No description)
rule osx_mami_w0 {   
    meta:   
        author = "jaime.blasco@alienvault.com"   
        tlp = "white"   
        reference = "https://objective-see.com/blog/blog_0x26.html"   
        reference = "https://otx.alienvault.com/pulse/5a58e02ff88cca5706841164"  
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mami"
        malpedia_version = "20180114"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:   
        $header0 = { cf fa ed fe }   
        $header1 = { ce fa ed fe }   
        $header2 = { ca fe ba be }   
        $a2 = "dnsChanger_activity"   
        $a3 = "/usr/bin/killall"   
        $b1 = "Content-Disposition: form-data; name=\"%@\"; filename=\"%@\""   
        $b2 = "add-trusted-cert -d -r trustRoot -k %@ %@"   
    condition:   
        ($header0 at 0 or $header1 at 0 or $header2 at 0) and all of ($a*) and 1 of ($b*)   
}
Download all Yara Rules