| .. | |||
| function_discovery_and_renaming.py | Loading last commit info... | ||
| hash_list.txt | |||
| panchan.snort | |||
| panchan.yar | |||
| panchan_detect.sh | |||
| readme.md | |||
Panchan detection logic and IoCs
This repository contains a yara and snort rules that can detect the Panchan cryptojacker.
It also includes a bash script that looks for the malware's persistence service, binary and port.
In addition, we have included the IdaPython script that we used to parse golang1.18 pclntab to match function name to function pointer in IDA.
It is a modification of SentinelOne's AlphaGolang, to match the structure of golang1.18.
The full report about Panchan can be found in our blogpost.
Osquery
We're also including Osquery queries that can be run to look for malware IoCs.
Malware files and process
SELECT path FROM file WHERE path LIKE "/.%/xinetd";
SELECT name, cmdline, pid FROM processes WHERE path LIKE "/.%/xinetd";
Persistence
SELECT path FROM file WHERE path = "/bin/systemd-worker" or path = "/lib/systemd/system/systemd-worker.service";
SELECT name, cmdline, pid FROM processes WHERE name = "systemd-worker";
Communication
SELECT name, cmdline, pid FROM listening_ports INNER JOIN processes USING(pid) WHERE port=1919;