From 9d60271b112ad21596fabd9b8bc1284fa04b6534 Mon Sep 17 00:00:00 2001
From: nichogenius <nichogenius@gmail.com>
Date: Mon, 31 Jul 2017 04:02:04 -0600
Subject: [PATCH] Added array_ and cslashes

Found a couple of cases where the php functions array_shift and addcslashes were used in base64 encoded malware.

Adding strings to catch any references to 'cslashes' which will catch both addcslashes and strip cslashes
Adding strings to catch any references to 'array_' which will catch about a dozen array modification functions.
---
 patterns_raw.txt | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/patterns_raw.txt b/patterns_raw.txt
index 148ea28..57607b3 100644
--- a/patterns_raw.txt
+++ b/patterns_raw.txt
@@ -102,6 +102,16 @@ Zm9wZW
 ZvcGVu
 mb3Blb
 
+# "array_" in base64
+YXJyYXlf
+FycmF5X
+hcnJheV
+
+# "cslashes" in base64
+Y3NsYXNoZX
+NzbGFzaGVz
+jc2xhc2hlc
+
 # "anyresults.net" in base64 ... this one may be too specific ?
 YW55cmVzdWx0cy5uZX
 FueXJlc3VsdHMubmV0