From 954bb8da3bfc5fbf336242c47b0a969cb492738a Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sun, 13 May 2018 07:29:49 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 4 ++++
 malwaresh.pl | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/malware5.pl b/malware5.pl
index 5be0228..77f67bf 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -514,6 +514,10 @@ my @regexen = (
     qr/<\?PHP\s+\#\s+Web\s+Shell\s+by\s+oRb.+?\\x3B\"\)\;\s+\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?([A-z0-9]{1,20})\|.+?\;\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d\}\.\$([A-z0-9]{1,20})\{\d\d\}\.\$.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?([A-z0-9]{1,20})\=\=\'\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\;\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20}).+?\)\)\)\;return\;.+?([A-z0-9]{1,20})\=\=\'\;/is,
+    qr/<\?php\s+\$login\_successful\s+\=\s+false\;.+?function\s+selfURL\(\)\s+\{.+?if\(eregi\(\"Linux\"\,\$OSV\)\).+?\$proxy\_shit\=.+?\$([A-z0-9]{1,20})\s+\=\s+urlencode\(\$\w\)\;\s+\?>/is,
+    qr/<script>\s+var\s+\_0x([A-z0-9]{1,10})\=\[.+?\(\)\;\"\,\"\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2}).+?\]\;eval\(function\(\_0x.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
+    
+
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index f77e152..4fcc754 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -997,7 +997,9 @@ my @regexen = (
     qr/<\?PHP\s+\#\s+Web\s+Shell\s+by\s+oRb.+?\\x3B\"\)\;\s+\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?([A-z0-9]{1,20})\|.+?\;\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d\}\.\$([A-z0-9]{1,20})\{\d\d\}\.\$.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?([A-z0-9]{1,20})\=\=\'\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\;\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20}).+?\)\)\)\;return\;.+?([A-z0-9]{1,20})\=\=\'\;/is,
-    
+    qr/<\?php\s+\$login\_successful\s+\=\s+false\;.+?function\s+selfURL\(\)\s+\{.+?if\(eregi\(\"Linux\"\,\$OSV\)\).+?\$proxy\_shit\=.+?\$([A-z0-9]{1,20})\s+\=\s+urlencode\(\$\w\)\;\s+\?>/is,
+    qr/<script>\s+var\s+\_0x([A-z0-9]{1,10})\=\[.+?\(\)\;\"\,\"\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2}).+?\]\;eval\(function\(\_0x.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
+        
 );
 
 my @base64_decodes = (