bozhihouc/d-eyes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(d-eyes): init

Browse Source
This commit is contained in:
zitn
2023-11-06 16:31:16 +08:00
parent 804617ded3
commit 270bb18b98
117 changed files with 19222 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
yaraRules/Botnet.BlackMoon.yar Normal file
View File

@@ -0,0 +1,53 @@
import "hash"
rule blackmoon_hash
{
meta:
description ="Detect the risk of Malware blackmoon Rule 1"
condition:
hash.md5(0,filesize) =="22E46CBCF02D78390D257AEE0FE26EDE" or
hash.md5(0,filesize) =="65982DEB6AC30B9F1F4DAB1AA26A0D0E" or
hash.md5(0,filesize) =="C4A73F3BBDD1E64EF146A232967B1BC5" or
hash.md5(0,filesize) =="93EB67FDB2D0C767887C6F6284844386" or
hash.md5(0,filesize) =="F73436646F905504027809A461D0A8D9" or
hash.md5(0,filesize) =="63EC62319605B43D68EB25B9F84153C8" or
hash.sha256(0,filesize) =="25f87c65a793186c7a9e1d8680ad7f32acb9bae4cb7284b98781b3a15f810ba2" or
hash.sha256(0,filesize) =="a57980012b38dc89baab954e7da3fa7112dd52b2252a72f87ec2510a70d2ade7"
}
rule BLACKMOON_BANKER {
meta:
description ="Detect the risk of Malware blackmoon Rule 2"
detail = "blackmoon update"
strings:
$s1 = "BlackMoon RunTime Error:" nocase wide ascii
$s2 = "\\system32\\rundll32.exe" wide ascii
$s3 = "cmd.exe /c ipconfig /flushdns" wide ascii
$s4 = "\\system32\\drivers\\etc\\hosts.ics" wide ascii
condition:
all of them
}
rule BlackMoon_2022
{
meta:
description ="Detect the risk of Malware blackmoon Rule 3"
strings:
$s1 = "kongxin1123"
$s2 = "m27p.com"
$s3 = "jincpay.com"
$s4 = "xiaoniu321.com"
condition:
hash.md5(0,filesize) == "22e46cbcf02d78390d257aee0fe26ede" or
hash.md5(0,filesize) == "65982deb6ac30b9f1f4dab1aa26a0d0e" or
hash.md5(0,filesize) == "93eb67fdb2d0c767887c6f6284844386" or
hash.md5(0,filesize) == "c4a73f3bbdd1e64ef146a232967b1bc5" or
hash.md5(0,filesize) == "f73436646f905504027809a461d0a8d9" or
hash.md5(0,filesize) == "63ec62319605b43d68eb25b9f84153c8" or
hash.md5(0,filesize) == "37C030456818878AF1DC8CE7928A504F" or
$s1 or
$s2 or
$s3 or
$s4
}

11
yaraRules/Botnet.Festi.yar Normal file
View File

@@ -0,0 +1,11 @@
rule festi_botnet_pdb {
meta:
description = "Detect the risk of Botnet Malware Festi Rule 1"
hash = "e55913523f5ae67593681ecb28d0fa1accee6739fdc3d52860615e1bc70dcb99"
strings:
$pdb = "\\eclipse\\botnet\\drivers\\Bin\\i386\\kernel.pdb"
condition:
uint16(0) == 0x5a4d and
filesize < 80KB and
any of them
}

272
yaraRules/Botnet.Gafgyt.yar Normal file
View File

@@ -0,0 +1,272 @@
rule Gafgyt_Generic_Botnet {
meta:
description = "Detect the risk of Botnet Malware Gafgyt Rule 1"
hash0 = "2a18f2d59f172622e76d9d9b5c73393b"
hash1 = "06de2d19862494be7dbcbcf20b3dbe3a"
hash2 = "0fc30a802a07386f5cd4b18b47547979"
hash3 = "be6865ccb948f2937fd25fe465e434da"
hash4 = "c8d58acfe524a09d4df7ffbe4a43c429"
hash5 = "0f979b4ae1209020dd2b672f9dad7398"
hash6 = "45826c129bf3d3bd067e33cf7bef3883"
hash7 = "79b9d4cea7972951efad765406459f5e"
hash8 = "baad702930571c414b0e8896f8bb4a5f"
hash9 = "11754a20e705dccf96f1a1def7220efc"
hash10 = "67db9ed04d3b56f966a739fd40a47748"
strings:
$s0 = "busybox" fullword
$s1 = "PONG!" fullword
$s2 = "GETLOCALIP" fullword
$s3 = "HTTPFLOOD" fullword
$s4 = "LUCKYLILDUDE" fullword
$s5 = "/dev/null"
$s6 = "/etc/resolv.conf"
$s7 = "/etc/config/resolv.conf"
condition:
all of them
}
rule Gafgyt_July_1 {
meta:
description = "Detect the risk of Botnet Malware Gafgyt Rule 2"
hash1 = "041db2cf6eac2a47ae4651751158838104e502ff33dcc7f5dd48472789870e6c"
hash2 = "0839b33e2da179eac610673769e9568d1942877739cf4d990f3787672a4e9af1"
hash3 = "2a1c1a22ed6989e9ba86f9a192834e0a35afec8026e8ecc0bb5c958d2892d46c"
hash4 = "30b682ee7114bf68f881e641e9ab14c7d62c84f725e9cf5bfccb403aaa1fe8f7"
hash5 = "3b9a35f7a0698b24d214818efd22235c995f1460fc55dd3ebd923ff0dca5370c"
hash6 = "4110dd04db3932f1f03bdce6fa74f5298ffb429b816c7a8fce40f1cbb043e968"
hash7 = "471b4d64420bdf2c8749c390a142ed449aff23b0d67609b268be044657501fa7"
hash8 = "5a9f02031f0b3b1a2edaeae2d77b8c1f67de2b611449432c42c88f840d7a1d5c"
hash9 = "78d9488d688f3b12181b54df0e9da3770e90a4a42a13db001fd211d16645a1bb"
hash10 = "7f2aa6e5e1f1229fb18a15d1599a7a6014796cc7c08b26b9c4336a2048dc8928"
hash11 = "805917658c7761debdaf18e83b54ec4e9ba645950c773ddd21d6cd8ba29b32d6"
hash12 = "ae880c7dd79ebb1d626aea57152fdaa779d07d5b326d7f7fad1d42b637e5da84"
hash13 = "b0d36c18bf900988d01828202ce1ab77949b9a8a29b264ea1639f170a6c9825b"
hash14 = "c17bf892498ed1dce5db1b0f3d588774b8e82f2636f397b2456d15e7442781e6"
hash15 = "c27e328d2fe6fd75066938f58c3359c5dbb9deea166c6a4d3b0397d295a3e8d5"
hash16 = "df292a289d93136fbdd6ac0850b2c8845f967d9a9a3bd29a9386b39843b82eda"
hash17 = "e07a008aaf0a0a2666a705a9756da5bc54be18e2a53a50eb7539f1143548a57f"
hash18 = "0be1e96f318d98398861217a9754bc003e6861d84de8553cdbd87531db66e19b"
hash19 = "2d049876c256e55ae48a1060c32f8d75b691525cd877556172f163fe39466001"
hash20 = "3d8194b7853a1edbaa5d14b4b7a0323c5584b8a5c959efe830073e43d0b4418a"
hash21 = "576bce5c1d1143b0e532333a28d37c98d65b271d651dbce86360d3e80460733f"
hash22 = "b7c5895189c7f4e30984e2f0db703c2120909dccaa339e59795d3e732bca9340"
hash23 = "db23bf90a7f0c69c3501876243ca2fe29e9208864dfa6f2b5d0dac51061a3d86"
hash24 = "e1093d59bef8f260b0ca1ebe82c0635cc225e060b8d7296efe330ca7837e6d44"
hash25 = "e29d1c2cbd64d0f1433602f2b63cf40e33b4376ac613e911a2160b268496164d"
hash26 = "e6523f691d0b4a16cc1892ec4eb3ee113d62443317e337412b70e0cea3e106f7"
hash27 = "ec9387b582e5a935094c6d165741d2c989e72afc3c6063a29e96153e97a74af3"
hash28 = "ed2eaf4c44f83c7920b2d73cbe242b82cc92e3188d04b1bb8742783c49487da7"
strings:
$s1 = "/20x/x58/x4b/x49/x57/x44/x49/x4a/x22/x20/x22/x64/x39/x63/x39/x29/x4d/x20/x29/x57/x5f/x22/x21/x5f/x2b/x20/x51/x53/x4d/x45/x4d/x44" ascii
$s2 = "/73x/6ax/x4a/x4b/x4d/x44/x20/x44/x57/x29/x5f/x20/x44/x57/x49/x4f/x57/x20/x57/x4f/x4b/x3c/x20/x57/x44/x4b/x20/x44/x29/x5f/x41/" fullword ascii
$s3 = "/20x/x58/x4b/x49/x57/x44/x49/x4a/x22/x20/x22/x64/x39/x63/x39/x29/x4d/x20/x29/x57/x5f/x22/x21/x5f/x2b/x20/x51/x53/x4d/x45/x4d/x44" ascii
$s4 = "/x4d/x20/x29/x28/x28/x22/x29/x45/x4f/x4b/x58/x50/x7b/x20/x5f/x57/x44/x44/x57/x44/" fullword ascii
$s5 = "/x71/x3b/x38/x38/x20/x43/x57/x29/x57/x22/x29/x64/x32/x20/x4b/x58/x4b/x4b/x4c/x22/x44/x20/x2d/x44/x5f/" fullword ascii
$s6 = "UDPBYPASS" fullword ascii
$s7 = "Is a named type file" fullword ascii
$s8 = "Structure needs cleaning" fullword ascii
$s9 = "No XENIX semaphores available" fullword ascii
condition:
uint16(0) == 0x457f and filesize < 600KB and 5 of them
}
rule Gafgyt_July_6 {
meta:
description = "Detect the risk of Botnet Malware Gafgyt Rule 3"
author = "LightDefender"
date = "2021-07-06"
hash1 = "821d34f7978fc65fe3b570e86cce45edc921a6cbf02b127fb1263a8448a1f62a"
strings:
$s1 = "infected.log" fullword ascii
$s2 = "Samael-DDoS-Attack" fullword ascii
$s3 = "B0TK1LL" fullword ascii
$s4 = "This Device Has Been Infected by Samael Botnet Made By ur0a :)" ascii
condition:
uint16(0) == 0x457f and filesize < 600KB and 2 of them
}
rule elf_bashlite_auto {
meta:
description = "Detect the risk of Botnet Malware Gafgyt Rule 4"
strings:
$sequence_0 = { 21d0 3345fc c9 c3 55 }
// n = 5, score = 300
// 21d0 | mov dword ptr [ebp - 4], 0
// 3345fc | mov edi, 0x512c00
// c9 | inc esp
// c3 | mov edi, esp
// 55 | mov edi, 0x512c00
$sequence_1 = { e8???????? 89c2 89d0 c1e81f }
// n = 4, score = 300
// e8???????? |
// 89c2 | mov byte ptr [ebx], 0
// 89d0 | sub eax, edx
// c1e81f | cmp eax, dword ptr [esp + 0x7c]
$sequence_2 = { e8???????? 8945ec 837dec00 750b 8b45ec }
// n = 5, score = 300
// e8???????? |
// 8945ec | je 0xffffff7c
// 837dec00 | mov al, byte ptr [ebp - 0xf]
// 750b | cmp al, 0xc0
// 8b45ec | mov al, byte ptr [ebp - 0xd]
$sequence_3 = { f7d0 21d0 3345fc c9 }
// n = 4, score = 300
// f7d0 | mov ecx, eax
// 21d0 | dec eax
// 3345fc | mov edx, dword ptr [ebp - 0x40]
// c9 | mov edi, 0x800
$sequence_4 = { 750c e8???????? 8b00 83f804 }
// n = 4, score = 300
// 750c | cmp al, 0xfc
// e8???????? |
// 8b00 | jne 0x18a
// 83f804 | dec eax
$sequence_5 = { eb0a c785ecefffff00000000 8b85ecefffff c9 c3 }
// n = 5, score = 300
// eb0a | mov eax, dword ptr [eax]
// c785ecefffff00000000 | mov dword ptr [ebp - 0x108], eax
// 8b85ecefffff | mov dword ptr [ebp - 0x10c], 0x8056e9e
// c9 | mov dword ptr [ebp - 0x110], 5
// c3 | mov eax, dword ptr [ebp + 0xc]
$sequence_6 = { 8b85ecefffff c9 c3 55 }
// n = 4, score = 300
// 8b85ecefffff | add eax, 0x41
// c9 | mov byte ptr [ebx], al
// c3 | mov dword ptr [ebp - 0x1c], edx
// 55 | mov eax, dword ptr [ebp - 0x20]
$sequence_7 = { c1f802 89c2 89d0 01c0 01d0 }
// n = 5, score = 300
// c1f802 | mov dword ptr [ebp - 0x88], eax
// 89c2 | jmp 0x159
// 89d0 | mov dword ptr [esp], eax
// 01c0 | mov ecx, eax
// 01d0 | or ecx, 0x800
$sequence_8 = { 85c0 750c c785ecefffff01000000 eb0a c785ecefffff00000000 8b85ecefffff }
// n = 6, score = 300
// 85c0 | mov dword ptr [ebp - 0x4c], edx
// 750c | dec eax
// c785ecefffff01000000 | mov edi, dword ptr [ebp - 0x18]
// eb0a | mov ecx, dword ptr [ebp - 0x38]
// c785ecefffff00000000 | mov edx, dword ptr [ebp - 0x3c]
// 8b85ecefffff | add dword ptr [ebp - 0x34], eax
$sequence_9 = { 21d0 3345fc c9 c3 }
// n = 4, score = 300
// 21d0 | mov eax, dword ptr [ebp - 0x1c]
// 3345fc | mov word ptr [eax + 0xa], dx
// c9 | mov dword ptr [esp], 0
// c3 | movzx edx, ax
condition:
7 of them and filesize < 274018
}
rule Gafgyt_Botnet_generic : MALW
{
meta:
description = "Detect the risk of Botnet Malware Gafgyt Rule 5"
MD5 = "e3fac853203c3f1692af0101eaad87f1"
SHA1 = "710781e62d49419a3a73624f4a914b2ad1684c6a"
strings:
$etcTZ = "/bin/busybox;echo -e 'gayfgt'"
$s2 = "/proc/net/route"
$s3 = "admin"
$s4 = "root"
condition:
$etcTZ and $s2 and $s3 and $s4
}
rule Gafgyt_Botnet_oh : MALW
{
meta:
description = "Detect the risk of Botnet Malware Gafgyt Rule 6"
MD5 = "97f5edac312de349495cb4afd119d2a5"
SHA1 = "916a51f2139f11e8be6247418dca6c41591f4557"
strings:
$s1 = "busyboxterrorist"
$s2 = "BOGOMIPS"
$s3 = "124.105.97.%d"
$s4 = "fucknet"
condition:
$s1 and $s2 and $s3 and $s4
}
rule Gafgyt_Botnet_bash : MALW
{
meta:
description = "Detect the risk of Botnet Malware Gafgyt Rule 7"
MD5 = "c8d58acfe524a09d4df7ffbe4a43c429"
SHA1 = "b41fefa8470f3b3657594af18d2ea4f6ac4d567f"
strings:
$s1 = "PONG!"
$s2 = "GETLOCALIP"
$s3 = "HTTPFLOOD"
$s4 = "LUCKYLILDUDE"
condition:
$s1 and $s2 and $s3 and $s4
}
rule Gafgyt_Botnet_hoho : MALW
{
meta:
description = "Detect the risk of Botnet Malware Gafgyt Rule 8"
MD5 = "369c7c66224b343f624803d595aa1e09"
SHA1 = "54519d2c124cb536ed0ddad5683440293d90934f"
strings:
$s1 = "PING"
$s2 = "PRIVMSG"
$s3 = "Remote IRC Bot"
$s4 = "23.95.43.182"
condition:
$s1 and $s2 and $s3 and $s4
}
rule Gafgyt_Botnet_jackmy : MALW
{
meta:
description = "Detect the risk of Botnet Malware Gafgyt Rule 9"
MD5 = "419b8a10a3ac200e7e8a0c141b8abfba"
SHA1 = "5433a5768c5d22dabc4d133c8a1d192d525939d5"
strings:
$s1 = "PING"
$s2 = "PONG"
$s3 = "jackmy"
$s4 = "203.134.%d.%d"
condition:
$s1 and $s2 and $s3 and $s4
}
rule Gafgyt_Botnet_HIHI: MALW
{
meta:
description = "Detect the risk of Botnet Malware Gafgyt Rule 10"
MD5 = "cc99e8dd2067fd5702a4716164865c8a"
SHA1 = "b9b316c1cc9f7a1bf8c70400861de08d95716e49"
strings:
$s1 = "PING"
$s2 = "PONG"
$s3 = "TELNET LOGIN CRACKED - %s:%s:%s"
$s4 = "ADVANCEDBOT"
$s5 = "46.166.185.92"
$s6 = "LOLNOGTFO"
condition:
$s1 and $s2 and $s3 and $s4 and $s5 and $s6
}

24
yaraRules/Botnet.Kelihos.yar Normal file
View File

@@ -0,0 +1,24 @@
import "pe"
rule KelihosHlux
{
meta:
description = "Detect the risk of Botnet Malware Kelihos Rule 1"
strings:
$KelihosHlux_HexString = { 73 20 7D 8B FE 95 E4 12 4F 3F 99 3F 6E C8 28 26 C2 41 D9 8F C1 6A 72 A6 CE 36 0F 73 DD 2A 72 B0 CC D1 07 8B 2B 98 73 0E 7E 8C 07 DC 6C 71 63 F4 23 27 DD 17 56 AE AB 1E 30 52 E7 54 51 F7 20 ED C7 2D 4B 72 E0 77 8E B4 D2 A8 0D 8D 6A 64 F9 B7 7B 08 70 8D EF F3 9A 77 F6 0D 88 3A 8F BB C8 89 F5 F8 39 36 BA 0E CB 38 40 BF 39 73 F4 01 DC C1 17 BF C1 76 F6 84 8F BD 87 76 BC 7F 85 41 81 BD C6 3F BC 39 BD C0 89 47 3E 92 BD 80 60 9D 89 15 6A C6 B9 89 37 C4 FF 00 3D 45 38 09 CD 29 00 90 BB B6 38 FD 28 9C 01 39 0E F9 30 A9 66 6B 19 C9 F8 4C 3E B1 C7 CB 1B C9 3A 87 3E 8E 74 E7 71 D1 }
condition:
$KelihosHlux_HexString
}
rule kelihos_botnet_pdb {
meta:
description = "Detect the risk of Botnet Malware Kelihos Rule 2"
hash = "f0a6d09b5f6dbe93a4cf02e120a846073da2afb09604b7c9c12b2e162dfe7090"
strings:
$pdb = "\\Only\\Must\\Not\\And.pdb"
$pdb1 = "\\To\\Access\\Do.pdb"
condition:
uint16(0) == 0x5a4d and
filesize < 1440KB and
any of them
}

27
yaraRules/Botnet.Mykings.yar Normal file
View File

File diff suppressed because one or more lines are too long

14
yaraRules/CoinMiner.CryptoELF.yar Normal file
View File

@@ -0,0 +1,14 @@
rule Rule_Coinminer_ELF_Format {
meta:
description = "Detect the risk of CoinMiner ELF Rule 1"
detail= "Detects Crypto Miner ELF format"
strings:
$str1 = "mining.set_difficulty" ascii
$str2 = "mining.notify" ascii
$str3 = "GhostRider" ascii
$str4 = "cn/turtle-lite" ascii
$str5 = "spend-secret-key" ascii
condition:
uint16(0) == 0x457f and
4 of them
}

88
yaraRules/CoinMiner.Monero.yar Normal file
View File

@@ -0,0 +1,88 @@
rule MINER_monero_mining_detection {
meta:
description = "Detect the risk of CoinMiner Monero Rule 1"
detail= "Monero mining software"
strings:
$1 = "* COMMANDS: 'h' hashrate, 'p' pause, 'r' resume" fullword ascii
$2 = "--cpu-affinity set process affinity to CPU core(s), mask 0x3 for cores 0 and 1" fullword ascii
$3 = "* THREADS: %d, %s, av=%d, %sdonate=%d%%%s" fullword ascii
$4 = "--user-agent set custom user-agent string for pool" fullword ascii
$5 = "-O, --userpass=U:P username:password pair for mining server" fullword ascii
$6 = "--cpu-priority set process priority (0 idle, 2 normal to 5 highest)" fullword ascii
$7 = "-p, --pass=PASSWORD password for mining server" fullword ascii
$8 = "* VERSIONS: XMRig/%s libuv/%s%s" fullword ascii
$9 = "-k, --keepalive send keepalived for prevent timeout (need pool support)" fullword ascii
$10 = "--max-cpu-usage=N maximum CPU usage for automatic threads mode (default 75)" fullword ascii
$11 = "--nicehash enable nicehash/xmrig-proxy support" fullword ascii
$12 = "<!--The ID below indicates application support for Windows 10 -->" fullword ascii
$13 = "* CPU: %s (%d) %sx64 %sAES-NI" fullword ascii
$14 = "-r, --retries=N number of times to retry before switch to backup server (default: 5)" fullword ascii
$15 = "-B, --background run the miner in the background" fullword ascii
$16 = "* API PORT: %d" fullword ascii
$17 = "--api-access-token=T access token for API" fullword ascii
$18 = "-t, --threads=N number of miner threads" fullword ascii
$19 = "--print-time=N print hashrate report every N seconds" fullword ascii
$20 = "-u, --user=USERNAME username for mining server" fullword ascii
condition:
( uint16(0) == 0x5a4d and
filesize < 4000KB and
( 8 of them )) or
( all of them )
}
import "hash"
rule xmrig_moneroocean_prebuild: elf mining xmrig
{
meta:
description = "Detect the risk of CoinMiner Monero Rule 2"
condition:
hash.md5(0, filesize) == "5a818e75dff6adfe9f645cc49d6c0b70"
}
rule setup_moneroocean_miner: bash mining xmrig
{
meta:
description = "Detect the risk of CoinMiner Monero Rule 3"
strings:
$ = "MoneroOcean mining setup script"
$ = "setup_moneroocean_miner.sh <wallet address>"
$ = "TOTAL_CACHE=$(( $CPU_THREADS*$CPU_L1_CACHE + $CPU_SOCKETS"
$ = "$HOME/moneroocean/xmrig"
$ = "$LATEST_XMRIG_LINUX_RELEASE"
$ = "moneroocean_miner.service"
condition:
any of them or hash.md5(0, filesize) == "75363103bb838ca8e975d318977c06eb"
}
rule uninstall_moneroocean_miner: bash mining xmrig
{
meta:
description = "Detect the risk of CoinMiner Monero Rule 4"
strings:
$default1 = "moneroocean"
$default2 = "mining uninstall script"
$s1 = "sudo systemctl stop"
$s2 = "sudo systemctl disable"
$s3 = "rm -f /etc/systemd/system/"
$s4 = "sudo systemctl daemon-reload"
condition:
($default1 or $default2) and any of ($s*) or hash.md5(0, filesize) == "b059718f365d30a559afacf2d86bc379"
}
rule moneroocean_miner_service: mining xmrig
{
meta:
description = "Detect the risk of CoinMiner Monero Rule 5"
strings:
$default1 = "ExecStart="
$default2 = "moneroocean"
$s1 = "[Service]"
$s2 = "[Unit]"
condition:
all of ($default*) and any of ($s*)
}

138
yaraRules/CoinMiner.Trojan.yar Normal file
View File

@@ -0,0 +1,138 @@
import "pe"
rule CoinMiner01 {
meta:
description = "Detects the risk of CoinMiner Trojan rule 1"
detail = "Detects coinminer payload"
strings:
$s1 = "-o pool." ascii wide
$s2 = "--cpu-max-threads-hint" ascii wide
$s3 = "-P stratum" ascii wide
$s4 = "--farm-retries" ascii wide
$dl = "github.com/ethereum-mining/ethminer/releases/download" ascii wide
condition:
uint16(0) == 0x5a4d and (3 of ($s*) or ($dl))
}
rule win_coinminer_auto {
meta:
description = "Detects the risk of CoinMiner Trojan rule 2"
strings:
$sequence_0 = { 56 85c0 7511 e8???????? 83c404 32c0 5e }
// n = 7, score = 100
// 56 | push esi
// 85c0 | test eax, eax
// 7511 | jne 0x13
// e8???????? |
// 83c404 | add esp, 4
// 32c0 | xor al, al
// 5e | pop esi
$sequence_1 = { e8???????? 8d8c24500b0000 8bf0 e8???????? }
// n = 4, score = 100
// e8???????? |
// 8d8c24500b0000 | lea ecx, [esp + 0xb50]
// 8bf0 | mov esi, eax
// e8???????? |
$sequence_2 = { 09c0 744a 8b5f04 48 8d8c3000700800 48 }
// n = 6, score = 100
// 09c0 | or eax, eax
// 744a | je 0x4c
// 8b5f04 | mov ebx, dword ptr [edi + 4]
// 48 | dec eax
// 8d8c3000700800 | lea ecx, [eax + esi + 0x87000]
// 48 | dec eax
$sequence_3 = { 8bf1 8b0d???????? 85ff 7527 85c9 7523 e8???????? }
// n = 7, score = 100
// 8bf1 | mov esi, ecx
// 8b0d???????? |
// 85ff | test edi, edi
// 7527 | jne 0x29
// 85c9 | test ecx, ecx
// 7523 | jne 0x25
// e8???????? |
$sequence_4 = { 8bcb e8???????? 57 ff15???????? 5f b001 5b }
// n = 7, score = 100
// 8bcb | mov ecx, ebx
// e8???????? |
// 57 | push edi
// ff15???????? |
// 5f | pop edi
// b001 | mov al, 1
// 5b | pop ebx
$sequence_5 = { f30f6f05???????? 56 57 f30f7f442440 b920000000 be???????? f30f6f05???????? }
// n = 7, score = 100
// f30f6f05???????? |
// 56 | push esi
// 57 | push edi
// f30f7f442440 | movdqu xmmword ptr [esp + 0x40], xmm0
// b920000000 | mov ecx, 0x20
// be???????? |
// f30f6f05???????? |
$sequence_6 = { 756e 56 e8???????? 83c404 33c0 5f }
// n = 6, score = 100
// 756e | jne 0x70
// 56 | push esi
// e8???????? |
// 83c404 | add esp, 4
// 33c0 | xor eax, eax
// 5f | pop edi
$sequence_7 = { 6b45e430 8945e0 8d8098589000 8945e4 803800 8bc8 7435 }
// n = 7, score = 100
// 6b45e430 | imul eax, dword ptr [ebp - 0x1c], 0x30
// 8945e0 | mov dword ptr [ebp - 0x20], eax
// 8d8098589000 | lea eax, [eax + 0x905898]
// 8945e4 | mov dword ptr [ebp - 0x1c], eax
// 803800 | cmp byte ptr [eax], 0
// 8bc8 | mov ecx, eax
// 7435 | je 0x37
$sequence_8 = { 7314 33c0 8974241c 85f6 }
// n = 4, score = 100
// 7314 | jae 0x16
// 33c0 | xor eax, eax
// 8974241c | mov dword ptr [esp + 0x1c], esi
// 85f6 | test esi, esi
$sequence_9 = { 83c102 ebe2 8d8df8fdffff b8???????? 90 668b10 }
// n = 6, score = 100
// 83c102 | add ecx, 2
// ebe2 | jmp 0xffffffe4
// 8d8df8fdffff | lea ecx, [ebp - 0x208]
// b8???????? |
// 90 | nop
// 668b10 | mov dx, word ptr [eax]
condition:
7 of them and filesize < 1523712
}
rule CoinMiner_imphash {
meta:
description = "Detects the risk of CoinMiner Trojan rule 3"
condition:
pe.imphash() == "563557d99523e4b1f8aab2eb9b79285e"
}
rule Trojan_CoinMiner {
meta:
description = "Detects the risk of CoinMiner Trojan rule 4"
hash1 = "3bdac08131ba5138bcb5abaf781d6dc7421272ce926bc37fa27ca3eeddcec3c2"
hash2 = "d60766c4e6e77de0818e59f687810f54a4e08505561a6bcc93c4180adb0f67e7"
strings:
$seq0 = { df 75 ab 7b 80 bf 83 c1 48 b3 18 74 70 01 24 5c }
$seq1 = { 08 37 4e 6e 0f 50 0b 11 d0 98 0f a8 b8 27 47 4e }
$seq2 = { bf 17 5a 08 09 ab 80 2f a1 b0 b1 da 47 9f e1 61 }
$seq3 = { 53 36 34 b2 94 01 cc 05 8c 36 aa 8a 07 ff 06 1f }
$seq4 = { 25 30 ae c4 44 d1 97 82 a5 06 05 63 07 02 28 3a }
$seq5 = { 01 69 8e 1c 39 7b 11 56 38 0f 43 c8 5f a8 62 d0 }
condition:
( uint16(0) == 0x5a4d and filesize < 5000KB and pe.imphash() == "e4290fa6afc89d56616f34ebbd0b1f2c" and 3 of ($seq*)
)
}

36
yaraRules/CoinMiner.Wannamine.yar Normal file
View File

@@ -0,0 +1,36 @@
rule RULE_ETERNALBLUE_GENERIC_SHELLCODE
{
meta:
description = "Detect the risk of Wannamine Rule 1"
detail = "Detecta una shellcode genérica de EternalBlue, con payload variable"
strings:
$sc = { 31 c0 40 0f 84 ?? ?? ?? ?? 60 e8 00 00 00 00 5b e8 23 00 00 00 b9
76 01 00 00 0f 32 8d 7b 39 39 }
condition:
all of them
}
rule RULE_XMRIG
{
meta:
description = "Detect the risk of Wannamine Rule 2"
detail = "Minero XMRig WannaMine"
strings:
$xmrig = "xmrig"
$randomx = "randomx"
condition:
uint16(0) == 0x5A4D and
all of them
}
rule CoinMiner_WannaMine_Opcodes
{
meta:
description = "Detect the risk of Wannamine Rule 3"
strings:
$s1 = {558BEC83EC10A05BE241008B550C8BCA}
$s2 = {8B45008954243C03D081FAA00500000F}
$s3 = {558BEC6AFF68786F410064A100000000}
condition:
uint16(0) == 0x5a4d and all of them
}

215
yaraRules/CoinMiner.givemexyz.yar Normal file
View File

@@ -0,0 +1,215 @@
import "hash"
rule givemexyz_family_hash
{
meta:
description ="Detect the risk of CoinMiner givemexyz Rule 1"
condition:
hash.sha256(0,filesize) =="599393e258d8ba7b8f8633e20c651868258827d3a43a4d0712125bc487eabf92" or
hash.sha256(0,filesize) =="2c356d4621626e3de5f268aea9e7736840bbfcdc02e15d2b3cda1050f4f50798" or
hash.sha256(0,filesize) =="2fc3be782b1803c6e1c17e386136e6b2fb7e5054e2a81eee8f866eeaa44beab1" or
hash.sha256(0,filesize) =="8a877dc7afbfb6701ac42630c2adafb9ef46e8942e5b17372f07c892a7bee1b3" or
hash.sha256(0,filesize) =="1225cc15a71886e5b11fca3dc3b4c4bcde39f4c7c9fbce6bad5e4d3ceee21b3a" or
hash.sha256(0,filesize) =="11547e36146e0b0956758d48faeb19d4db5e737dc942bc7498ed86a8010bdc8b" or
hash.sha256(0,filesize) =="86f57444e6f4a40378fd0959a54794c7384d04678f8c66dfb7801f3d0cfc0152" or
hash.sha256(0,filesize) =="86859ad5e3115893e5878e91168367d564c1eb937af0d1e4c29dd38fb9647362" or
hash.sha256(0,filesize) =="f8744257415d256512c8b2f3501be20a0a30e37357e71df3986e2918fd53ef5e" or
hash.sha256(0,filesize) =="b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09" or
hash.sha256(0,filesize) =="a5604893608cf08b7cbfb92d1cac20868808218b3cc453ca86da0abaeadc0537" or
hash.sha256(0,filesize) =="f994135b5285cc481f2bfc213395e81c656542d1b6b5f23551565d524f3cdb89" or
hash.sha256(0,filesize) =="ceb3a7a521dc830a603037c455ff61e8849235f74db3b5a482ad5dcf0a1cdbc5"
}
rule XmrigCnrigOptions: mining xmrig cnrig
{
meta:
description ="Detect the risk of CoinMiner givemexyz Rule 2"
strings:
$s1 = "--donate-level" ascii
$s2 = "--nicehash" ascii
$s3 = "--algo" ascii
$s4 = "--threads" ascii
$s5 = "--cpu-max-threads-hint" ascii
$x = "xmrig" ascii fullword
condition:
3 of ($s*) and $x
}
import "hash"
// xmrig_md5_5_9_0
private rule tar_gz_5_9_0
{
meta:
description = "xmrig-5.9.0-xenial-x64.tar.gz"
condition:
hash.md5(0, filesize) == "b63ead42823ae63c93ac401e38937323"
}
private rule xmrig_5_9_0
{
meta:
description = "xmrig.elf"
condition:
hash.md5(0, filesize) == "d351de486d4bb4e80316e1524682c602"
}
private rule xmrig_notls_5_9_0
{
meta:
description = "xmrig-notls.elf"
condition:
hash.md5(0, filesize) == "187ed1d112e4a9dff0241368f2868615"
}
rule xmrig_md5_5_9_0: mining md5 xmrig
{
meta:
description ="Detect the risk of CoinMiner givemexyz Rule 3"
condition:
tar_gz_5_9_0 or xmrig_5_9_0 or xmrig_notls_5_9_0
}
// xmrig_md5_5_10_0
private rule tar_gz_5_10_0
{
meta:
description = "xmrig-5.10.0-xenial-x64.tar.gz"
condition:
hash.md5(0, filesize) == "416079fd0c7b45307556198f3f67754d"
}
private rule xmrig_5_10_0
{
meta:
description = "xmrig.elf"
condition:
hash.md5(0, filesize) == "3939395192972820ce2cf99db0c239d7"
}
private rule xmrig_notls_5_10_0
{
meta:
description = "xmrig-notls.elf"
condition:
hash.md5(0, filesize) == "0456ef39240c75e0862b30419d4c6359"
}
rule xmrig_md5_5_10_0: mining md5 xmrig
{
meta:
description ="Detect the risk of CoinMiner givemexyz Rule 4"
condition:
tar_gz_5_10_0 or xmrig_5_10_0 or xmrig_notls_5_10_0
}
// xmrig_md5_5_11_0
private rule tar_gz_5_11_0
{
meta:
description = "xmrig-5.11.0-xenial-x64.tar.gz"
condition:
hash.md5(0, filesize) == "abf7feaf1e456c0fc6e8f1e40af9211c"
}
private rule xmrig_5_11_0
{
meta:
description = "xmrig.elf"
condition:
hash.md5(0, filesize) == "56aec7d8d2aba5ba2b82930408f0b5d3"
}
private rule xmrig_notls_5_11_0
{
meta:
description = "xmrig-notls.elf"
condition:
hash.md5(0, filesize) == "9a5c0a5d960b676ba4db535f71ee7cef"
}
rule xmrig_md5_5_11_0: mining md5 xmrig
{
meta:
description ="Detect the risk of CoinMiner givemexyz Rule 5"
condition:
tar_gz_5_11_0 or xmrig_5_11_0 or xmrig_notls_5_11_0
}
// xmrig_md5_5_11_1
private rule tar_gz_5_11_1
{
meta:
description = "xmrig-5.11.1-xenial-x64.tar.gz"
condition:
hash.md5(0, filesize) == "820022ba985b4d21637bf6d3d1e53001"
}
private rule xmrig_5_11_1
{
meta:
description = "xmrig.elf"
condition:
hash.md5(0, filesize) == "0090962752b93454093239f770628006"
}
private rule xmrig_notls_5_11_1
{
meta:
description = "xmrig-notls.elf"
condition:
hash.md5(0, filesize) == "54158be61b8011a10d1a94432ead208c"
}
rule xmrig_md5_5_11_1: mining md5 xmrig
{
meta:
description ="Detect the risk of CoinMiner givemexyz Rule 6"
condition:
tar_gz_5_11_1 or xmrig_5_11_1 or xmrig_notls_5_11_1
}
rule xmrig_md5_samples_1: mining md5 xmrig
{
meta:
description ="Detect the risk of CoinMiner givemexyz Rule 7"
condition:
hash.md5(0, filesize) == "6f2a2ff340fc1307b65174a3451f8c9a"
}
rule xmrig_md5_samples_2: mining md5 xmrig
{
meta:
description ="Detect the risk of CoinMiner givemexyz Rule 8"
condition:
hash.md5(0, filesize) == "22a213bfd093c402312d75f5f471505e"
}
rule XmrigConfig: json mining xmrig
{
meta:
description ="Detect the risk of CoinMiner givemexyz Rule 9"
detail = "xmrig config.json"
strings:
$ = "\"worker-id\":" ascii
$ = "\"randomx\":" ascii
$ = "\"donate-level\":" ascii
$ = "\"rig-id\":" ascii
$ = "\"donate-over-proxy\":" ascii
condition:
3 of them
}

2198
yaraRules/Malicious.tools.yar Normal file
View File

File diff suppressed because it is too large Load Diff

5276
yaraRules/Malicious.webshells.yar Normal file
View File

File diff suppressed because it is too large Load Diff

29
yaraRules/Malware.FiveSys.yar Normal file
View File

@@ -0,0 +1,29 @@
rule Rootkit_FiveSys {
meta:
description ="Detect the risk of Malware FiveSys Rule 1"
hash1 = "cce24ebdd344c8184dbaa0a0c4a65c7d952a11f6608fe23d562a4d1178915eac"
strings:
$s1 = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 %s " fullword ascii
$s2 = "GET %s%s HTTP/1.1" fullword ascii
$s3 = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 sysWeb/1.0.1 " fullword ascii
$s4 = "D:\\record.txt" fullword ascii
$s5 = "number=%s;name=%s;switch=%s;server=%s;tag=%s;altitude=%s;serverDownloadFileName=%s;serverDownloadFileMd5=%s;" fullword ascii
$s6 = "%d - fileName=%s result=%s DownFile=%s" fullword ascii
$s7 = "/driverfile/Jck.txt" fullword ascii
$s8 = "/driverfile/shuiliasafao.txt" fullword ascii
$s9 = "\\FiveSys_1\\x64\\Debug\\FiveSys.pdb" fullword ascii
$s10 = "/api/drive_config/driveDownloadFileList" fullword ascii
$s11 = "[%s] CreateMiniKey failed!Error code:%x" fullword ascii
$s12 = "Host: %d.%d.%d.%d" fullword ascii
$s13 = "serverDownloadFileMd5" fullword ascii
$s14 = "/api/safe/checkver?name=FiveSys_1.sys&ver=" fullword ascii
$s15 = "Haining shengdun Network Information Technology Co., Ltd" fullword ascii
$s16 = "\\cdriversock.cpp" fullword ascii
$s17 = "FiveSys_1.sys\",\"md5\":\"" fullword ascii
$s18 = "/api/popup/fiveDriveCheckdownloadfile?filelist=[{\"name\":\"" fullword ascii
$s19 = "[%s] StartMinifilter failed!Error code:%x" fullword ascii
$s20 = "[%s] CreateMiniKey success!" fullword ascii
condition:
uint16(0) == 0x5a4d and
8 of them
}

31
yaraRules/Malware.Mikey.yar Normal file
View File

@@ -0,0 +1,31 @@
import "hash"
rule Gen_Trojan_Mikey {
meta:
description ="Detect the risk of Malware Mikey Rule 1"
hash = "a8e6c3ca056b3ff2495d7728654b780735b3a4cb"
strings:
$s0 = "nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\ERAWTFOS" fullword ascii
/* reversed string 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' */
$x1 = "User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)" fullword ascii
$x2 = "User-Agent:Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.0; MyIE 3.01)" fullword ascii
$x3 = "%d*%u%s" fullword ascii
$x4 = "%s %s:%d" fullword ascii
$x5 = "Mnopqrst Vwxyabcde Ghijklm Opqrstuv Xya" fullword ascii
condition:
uint16(0) == 0x5a4d and $s0 and 2 of ($x*)
}
rule Mikey_hash
{
meta:
description ="Detect the risk of Malware Mikey Rule 2"
condition:
hash.sha256(0,filesize) =="71f9b10d43494f2b88e0621f0b389f3848415e6737510d8e882b58ba0dad56b0" or
hash.sha256(0,filesize) =="b5c0ffd178d50a325199f3df0951d088585f40a00d0cd44fa610c894867935f6" or
hash.sha256(0,filesize) =="0f5827b2364a8411542b806aa02c106473faff7b9b7a4da5eaa98104a8abf7fd" or
hash.sha256(0,filesize) =="dc422934a782db00afa24cc085c779101386bf8d11bc2fda0db73418935f9fc5" or
hash.sha256(0,filesize) =="37699bfb7cae547a1a312ba7cc47716e6d805b48f58c3783342b801875e20ff8" or
hash.sha256(0,filesize) =="f55af21f69a183fb8550ac60f392b05df14aa01d7ffe9f28bc48a118dc110b4c" or
hash.sha256(0,filesize) =="121157e0fcb728eb8a23b55457e89d45d76aa3b7d01d3d49105890a00662c924"
}

48
yaraRules/Malware.Rekoobe.yar Normal file
View File

@@ -0,0 +1,48 @@
import "hash"
rule MAL_ELF_Rekoobe_Nov_2021_1
{
meta:
description ="Detect the risk of Malware Rekoobe Rule 1"
hash1 = "bf09a1a7896e05b18c033d2d62f70ea4cac85e2d72dbd8869e12b61571c0327e"
hash2 = "e1999a3e5a611312e16bb65bb5a880dfedbab8d4d2c0a5d3ed1ed926a3f63e94"
strings:
$s1 = { 00 ?? 19 00 00 00 48 85 c0 [2-6] bf 0a 00 00 00 e8 [2] 01 00 ?? 24 00 00 00 48 85 c0 [2-6] c6 00 48 c6 40 05 49 c6 40 01 49 c6 40 06 4c c6 40 02 53 c6 40 07 45 c6 40 03 54 c6 40 08 3d c6 40 04 46 c6 40 09 00 48 89 c7 e8 [2] 00 00 48 8d 54 24 0c }
$s2 = "GETCONF_DIR" ascii
$s3 = "/var/run/nscd/so/dev/ptmx" ascii
$s4 = { 45 78 65 63 53 74 61 72 74 3d 2f 62 69 6e 2f 62 61 73 68 20 2d 63 20 2f 75 73 72 2f 62 69 6e 2f 62 69 6f 73 65 74 64 }
$s5 = { 48 89 df e8 [3] ff 31 f6 48 89 df e8 [3] ff 48 8d 58 01 48 }
$s6 = { 2f 76 61 72 2f 74 6d 70 00 2f 76 61 72 2f 70 72 6f 66 69 6c 65 }
condition:
uint32(0) == 0x464C457F and filesize > 100KB and 5 of ($s*)
}
rule Rekoobe_v2
{
meta:
description ="Detect the risk of Malware Rekoobe Rule 2"
strings:
$a0 = { 83 ?? ?? FF 7? ?? 5? 89 ?? 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? 65 ?? ?? ?? ?? ?? 89 ?? ?? 31 ?? 8B ?? B9 ?? ?? ?? ?? 89 ?? F2 ?? 89 ?? F7 ?? 83 ?? ?? 5? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? C7 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? C6 ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 88 [0-128] 89 ?? B8 ?? ?? ?? ?? 85 ?? 0F 85 [0-128] E8 ?? ?? ?? ?? 89 ?? }
$a1 = { 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 89 ?? 83 ?? ?? 85 ?? 78 [0-128] 83 ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 [0-128] 6A ?? FF 7? ?? 8B ?? ?? FF 3? 5? E8 ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? 83 ?? ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 }
$b0 = { 0F 8E [0-128] 0F B6 ?? 4C ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? 4C ?? ?? 48 ?? ?? ?? 40 ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 40 ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? 4C ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? 4C ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 40 ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? ?? 40 ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? 4C ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 40 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 40 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? 4C ?? ?? 0F B6 ?? 4C ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F B6 ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 0F B6 ??}
$b1 = { BB ?? ?? ?? ?? 45 ?? ?? 7F [0-128] EB [0-128] 49 ?? ?? C6 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? 48 ?? C6 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? 48 ?? C6 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? 48 ?? 48 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? ?? 48 ?? ?? BE ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? 48 ?? ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 44 ?? ?? E8 ?? ?? ?? ?? 89 ?? B8 ?? ?? ?? ?? 83 ?? ?? 75 }
$b2 = { 8D [0-128] 44 ?? ?? ?? 4D ?? ?? B9 ?? ?? ?? ?? 4C ?? ?? BE ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 85 [0-128] 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? 8D ?? ?? 48 ?? C6 ?? ?? ?? ?? ?? ?? 8D ?? ?? 48 ?? C6 ?? ?? ?? ?? ?? ?? 8D ?? ?? 48 ?? 48 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? BE ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 }
$b3 = { 49 ?? ?? 48 ?? ?? 49 ?? ?? 49 ?? ?? ?? 41 ?? ?? ?? BB ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 01 ?? 48 ?? ?? 48 ?? ?? 0F 97 ?? 0F B6 ?? 48 ?? ?? 48 ?? ?? ?? 49 ?? ?? 0F 82 [0-128] 4D ?? ?? 74 [0-128] 4A ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? 49 ?? ?? 49 ?? ?? ?? 76 }
condition:
all of ($a*) or all of ($b*)
}
rule Rekoobe_hash
{
meta:
description ="Detect the risk of Malware Rekoobe Rule 3"
condition:
hash.sha256(0,filesize) =="c1aa86482bb9999ca6e7fe771745f4d58f574a90f9f4abf96c16965b3364854b" or
hash.sha256(0,filesize) =="696ddb493016d46780aaecafa731c76fef2d28a56fc75afe1f9b4535612c1db9" or
hash.sha256(0,filesize) =="7b88fa41d6a03aeda120627d3363b739a30fe00008ce8d848c2cbb5b4473d8bc" or
hash.sha256(0,filesize) =="31330c0409337592e9de7ac981cecb7f37ce0235f96e459fefbd585e35c11a1a" or
hash.sha256(0,filesize) =="275d63587f3ac511d7cca5ff85af2914e74d8b68edd5a7a8a1609426d5b7f6a9" or
hash.sha256(0,filesize) =="df90558a84cfcf80639f32b31aec187b813df556e3c155a05af91dedfd2d7429" or
hash.sha256(0,filesize) =="2e81517ee4172c43a2084be1d584841704b3f602cafc2365de3bcb3d899e4fb8"
}

18
yaraRules/Ransom.BCrypt.yar Normal file
View File

@@ -0,0 +1,18 @@
rule Ransom_BCrypt {
meta:
description= "Detect the risk of Ransomware BCrypt Rule 1"
hash1 = "9b710b07d9192d590ecf8be939ce8ff44e23e64569687f636995270c618582a7"
hash2 = "e47e4060f7a53eb7851b4f9622dccead3594b4af759f882f700cb1737b5f09c5"
strings:
$s1 = "https://www.douban.com/note/693052956/" fullword ascii
$s2 = "C:\\windows64.ntd" fullword ascii
$s3 = "AliWorkbench.exe" fullword ascii
$s4 = "C:\\windows64-2.ntd" fullword ascii
$s5 = "/bEncrypt" fullword wide
$s6 = "unname_1989\\" fullword wide
$s7 = "libcef.dll" fullword wide
$s8 = "C:\\123456789.txt" fullword ascii
$s9 = "SearchCompterFileEncrypt.dll" fullword ascii
condition:
uint16(0) == 0x5a4d and 2 of them
}

31
yaraRules/Ransom.Babuk.yar Normal file
View File

@@ -0,0 +1,31 @@
rule Ransom_Babuk {
meta:
description= "Detect the risk of Ransomware Babuk Rule 1"
hash1 = "5eb21c59b6a0df15be307fc5ef82464f3d9a56dff8f4214576c48dbc9d3fe7af"
hash2 = "1f2edda243404918b78aa6123aa1fc5b18dd9506e4042c7a1547b565334527e1"
strings:
$mutex = "DoYouWantToHaveSexWithCuongDong" fullword ascii
$mutex_api1 = "OpenMutexA" fullword ascii
$mutex_api2 = "CreateMutexA" fullword ascii
$delshadow1 = "/c vssadmin.exe delete shadows /all /quiet" wide
$delshadow2 = "cmd.exe" wide
$delshadow3 = "open" fullword wide
$delshadow_api = "ShellExecuteW" fullword ascii
$folder1 = "AppData" fullword wide
$folder2 = "Boot" fullword wide
$folder3 = "Windows.old" fullword wide
$folder4 = "Tor Browser" fullword wide
$folder5 = "$Recycle.Bin" fullword wide
$note = "\\How To Restore Your Files.txt" fullword wide
$encrypt = ".babyk" fullword wide
$op1 = {C7 85 D0 FE FF FF 63 68 6F 75}
$op2 = {C7 85 D4 FE FF FF 6E 67 20 64}
$op3 = {C7 85 D8 FE FF FF 6F 6E 67 20}
$op4 = {C7 85 DC FE FF FF 6C 6F 6F 6B}
$op5 = {C7 85 E0 FE FF FF 73 20 6C 69}
$op6 = {C7 85 E4 FE FF FF 6B 65 20 68}
$op7 = {C7 85 E8 FE FF FF 6F 74 20 64}
$op8 = {C7 85 EC FE FF FF 6F 67 21 21 68 80 00 00 00}
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (all of ($mutex*) or all of ($delshadow*) or all of ($folder*) or $note or $encrypt or 3 of ($op*))
}

112
yaraRules/Ransom.BadEncript.yar Normal file
View File

@@ -0,0 +1,112 @@
rule Ransom_BadEncript {
meta:
description= "Detect the risk of Ransomware BadEncript Rule 1"
hash1 = "3bba4636606843da8e3591682b4433bdc94085a1939bbdc35f10bbfd97ac3d3d"
strings:
$x1 = "c:\\users\\nikitos\\documents\\visual studio 2015\\Projects\\BadEncriptMBR\\Release\\BadEncriptMBR.pdb" fullword ascii
$s2 = "DoctorPetrovic.org" fullword wide
$s3 = "oh lol it failed" fullword ascii
$s4 = "Allows DoctorPetrovic Scanner" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and
(any of ($x*) or 2 of them)
}
rule win_badencript_auto {
meta:
description= "Detect the risk of Ransomware BadEncript Rule 2"
strings:
$sequence_0 = { 8bc1 83e13f c1f806 6bc930 8b048548414100 0fb6440828 }
// n = 6, score = 100
// 8bc1 | mov eax, ecx
// 83e13f | and ecx, 0x3f
// c1f806 | sar eax, 6
// 6bc930 | imul ecx, ecx, 0x30
// 8b048548414100 | mov eax, dword ptr [eax*4 + 0x414148]
// 0fb6440828 | movzx eax, byte ptr [eax + ecx + 0x28]
$sequence_1 = { 8d7f08 8b048d04b54000 ffe0 f7c703000000 7413 8a06 8807 }
// n = 7, score = 100
// 8d7f08 | lea edi, [edi + 8]
// 8b048d04b54000 | mov eax, dword ptr [ecx*4 + 0x40b504]
// ffe0 | jmp eax
// f7c703000000 | test edi, 3
// 7413 | je 0x15
// 8a06 | mov al, byte ptr [esi]
// 8807 | mov byte ptr [edi], al
$sequence_2 = { 83c8ff eb07 8b04cdecfd4000 5f 5e 5b 8be5 }
// n = 7, score = 100
// 83c8ff | or eax, 0xffffffff
// eb07 | jmp 9
// 8b04cdecfd4000 | mov eax, dword ptr [ecx*8 + 0x40fdec]
// 5f | pop edi
// 5e | pop esi
// 5b | pop ebx
// 8be5 | mov esp, ebp
$sequence_3 = { 83e03f c1f906 6bc030 03048d48414100 }
// n = 4, score = 100
// 83e03f | and eax, 0x3f
// c1f906 | sar ecx, 6
// 6bc030 | imul eax, eax, 0x30
// 03048d48414100 | add eax, dword ptr [ecx*4 + 0x414148]
$sequence_4 = { 8b049548414100 804c182d04 ff4604 eb08 ff15???????? }
// n = 5, score = 100
// 8b049548414100 | mov eax, dword ptr [edx*4 + 0x414148]
// 804c182d04 | or byte ptr [eax + ebx + 0x2d], 4
// ff4604 | inc dword ptr [esi + 4]
// eb08 | jmp 0xa
// ff15???????? |
$sequence_5 = { 8b1c9d68d14000 56 6800080000 6a00 53 ff15???????? 8bf0 }
// n = 7, score = 100
// 8b1c9d68d14000 | mov ebx, dword ptr [ebx*4 + 0x40d168]
// 56 | push esi
// 6800080000 | push 0x800
// 6a00 | push 0
// 53 | push ebx
// ff15???????? |
// 8bf0 | mov esi, eax
$sequence_6 = { 6a00 6a03 6a00 6a04 6800000010 }
// n = 5, score = 100
// 6a00 | push 0
// 6a03 | push 3
// 6a00 | push 0
// 6a04 | push 4
// 6800000010 | push 0x10000000
$sequence_7 = { 33c0 3b0cc520db4000 7427 40 83f82d 72f1 }
// n = 6, score = 100
// 33c0 | xor eax, eax
// 3b0cc520db4000 | cmp ecx, dword ptr [eax*8 + 0x40db20]
// 7427 | je 0x29
// 40 | inc eax
// 83f82d | cmp eax, 0x2d
// 72f1 | jb 0xfffffff3
$sequence_8 = { c1fa06 8bc6 83e03f 6bc830 8b049548414100 f644082801 }
// n = 6, score = 100
// c1fa06 | sar edx, 6
// 8bc6 | mov eax, esi
// 83e03f | and eax, 0x3f
// 6bc830 | imul ecx, eax, 0x30
// 8b049548414100 | mov eax, dword ptr [edx*4 + 0x414148]
// f644082801 | test byte ptr [eax + ecx + 0x28], 1
$sequence_9 = { 8bc8 d1f9 6a41 5f 894df0 8b34cde8fd4000 }
// n = 6, score = 100
// 8bc8 | mov ecx, eax
// d1f9 | sar ecx, 1
// 6a41 | push 0x41
// 5f | pop edi
// 894df0 | mov dword ptr [ebp - 0x10], ecx
// 8b34cde8fd4000 | mov esi, dword ptr [ecx*8 + 0x40fde8]
condition:
7 of them and filesize < 335872
}

39
yaraRules/Ransom.BadRabbit.yar Normal file
View File

@@ -0,0 +1,39 @@
rule BadRabbit_Gen {
meta:
description= "Detect the risk of Ransomware BadRabbit Rule 1"
hash1 = "8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93"
hash2 = "579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648"
hash3 = "630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da"
strings:
$x1 = "schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR \"%ws\" /ST" fullword wide
$x2 = "schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"%ws /C Start \\\"\\\" \\\"%wsdispci.exe\\\"" fullword wide
$x3 = "C:\\Windows\\infpub.dat" fullword wide
$x4 = "C:\\Windows\\cscc.dat" fullword wide
$s1 = "need to do is submit the payment and get the decryption password." fullword ascii
$s2 = "\\\\.\\GLOBALROOT\\ArcName\\multi(0)disk(0)rdisk(0)partition(1)" fullword wide
$s3 = "\\\\.\\pipe\\%ws" fullword wide
$s4 = "fsutil usn deletejournal /D %c:" fullword wide
$s5 = "Run DECRYPT app at your desktop after system boot" fullword ascii
$s6 = "Files decryption completed" fullword wide
$s7 = "Disable your anti-virus and anti-malware programs" fullword wide
$s8 = "SYSTEM\\CurrentControlSet\\services\\%ws" fullword wide
$s9 = "process call create \"C:\\Windows\\System32\\rundll32.exe" fullword wide
$s10 = "%ws C:\\Windows\\%ws,#1 %ws" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 700KB and ( 1 of ($x*) or 2 of them )
}
rule BadRabbit_Mimikatz_Comp {
meta:
description= "Detect the risk of Ransomware BadRabbit Rule 2"
hash1 = "2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035"
strings:
$s1 = "%lS%lS%lS:%lS" fullword wide
$s2 = "lsasrv" fullword wide
$s3 = "CredentialKeys" ascii
/* Primary\x00m\x00s\x00v */
$s4 = { 50 72 69 6D 61 72 79 00 6D 00 73 00 76 00 }
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and 3 of them )
}

9
yaraRules/Ransom.BlackMatter.yar Normal file
View File

@@ -0,0 +1,9 @@
rule Ransom_BlackMatter {
meta:
description= "Detect the risk of Ransomware BlackMatter Rule 1"
strings:
$op1 = {558BEC81EC0401000053515256578DBDFCFEFFFF32C0AAB92A000000B0FFF3AAB03EAAB903000000B0FF}
$op2 = {02C28B7D0CC1EB028D145B2BD052895DFC8B0E0FB6D10FB6DD578DBDFCFEFFFF}
condition:
uint16(0) == 0x5a4d and any of them
}

133
yaraRules/Ransom.Cerber.yar Normal file
View File

@@ -0,0 +1,133 @@
rule cerber3{
meta:
description= "Detect the risk of Ransomware Cerber Rule 1"
strings:
$a = {00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85}
$b = {68 3B DB 00 00 ?? ?? ?? ?? 00 ?? FF 15}
condition:
1 of them
}
rule cerber4{
meta:
description= "Detect the risk of Ransomware Cerber Rule 2"
strings:
$a = {8B 0D ?? ?? 43 00 51 8B 15 ?? ?? 43 00 52 E8 C9 04 00 00 83 C4 08 89 45 FC A1 ?? ?? 43 00 3B 05 ?? ?? 43 00 72 02}
condition:
1 of them
}
rule cerber5{
meta:
description= "Detect the risk of Ransomware Cerber Rule 3"
strings:
$a = {83 C4 04 A3 ?? ?? ?? 00 C7 45 ?? ?? ?? ?? 00 8B ?? ?? C6 0? 56 8B ?? ?? 5? 68 ?? ?? 4? 00 FF 15 ?? ?? 4? 00 50 FF 15 ?? ?? 4? 00 A3 ?? ?? 4? 00 68 1D 10 00 00 E8 ?? ?? FF FF 83 C4 04 ?? ?? ??}
condition:
1 of them
}
rule cerber5b{
meta:
description= "Detect the risk of Ransomware Cerber Rule 4"
strings:
$a={8B ?? ?8 ?? 4? 00 83 E? 02 89 ?? ?8 ?? 4? 00 68 ?C ?9 4? 00 [0-6] ?? ?? ?? ?? ?? ?8 ?? 4? 00 5? FF 15 ?? ?9 4? 00 89 45 ?4 83 7D ?4 00 75 02 EB 12 8B ?? ?0 83 C? 06 89 ?? ?0 B? DD 03 00 00 85}
condition:
$a
}
rule win_cerber_auto {
meta:
description= "Detect the risk of Ransomware Cerber Rule 5"
strings:
$sequence_0 = { eba0 47 3bf8 0f8c3effffff 5e 5b 5f }
// n = 7, score = 1200
// eba0 | jmp 0xffffffa2
// 47 | inc edi
// 3bf8 | cmp edi, eax
// 0f8c3effffff | jl 0xffffff44
// 5e | pop esi
// 5b | pop ebx
// 5f | pop edi
$sequence_1 = { ff750c e8???????? 59 59 84c0 74e9 8d45f8 }
// n = 7, score = 1200
// ff750c | push dword ptr [ebp + 0xc]
// e8???????? |
// 59 | pop ecx
// 59 | pop ecx
// 84c0 | test al, al
// 74e9 | je 0xffffffeb
// 8d45f8 | lea eax, [ebp - 8]
$sequence_2 = { 8b4510 c6040200 4a 79f6 }
// n = 4, score = 1200
// 8b4510 | mov eax, dword ptr [ebp + 0x10]
// c6040200 | mov byte ptr [edx + eax], 0
// 4a | dec edx
// 79f6 | jns 0xfffffff8
$sequence_3 = { 237878 899804010000 8b5864 23de 8b75fc }
// n = 5, score = 1200
// 237878 | and edi, dword ptr [eax + 0x78]
// 899804010000 | mov dword ptr [eax + 0x104], ebx
// 8b5864 | mov ebx, dword ptr [eax + 0x64]
// 23de | and ebx, esi
// 8b75fc | mov esi, dword ptr [ebp - 4]
$sequence_4 = { 6a00 ff36 ff15???????? bf02010000 3bc7 7561 }
// n = 6, score = 1200
// 6a00 | push 0
// ff36 | push dword ptr [esi]
// ff15???????? |
// bf02010000 | mov edi, 0x102
// 3bc7 | cmp eax, edi
// 7561 | jne 0x63
$sequence_5 = { 7508 6a03 58 e9???????? 39860c010000 }
// n = 5, score = 1200
// 7508 | jne 0xa
// 6a03 | push 3
// 58 | pop eax
// e9???????? |
// 39860c010000 | cmp dword ptr [esi + 0x10c], eax
$sequence_6 = { 75d9 8b45f8 5f 5e 5b c9 c3 }
// n = 7, score = 1200
// 75d9 | jne 0xffffffdb
// 8b45f8 | mov eax, dword ptr [ebp - 8]
// 5f | pop edi
// 5e | pop esi
// 5b | pop ebx
// c9 | leave
// c3 | ret
$sequence_7 = { 51 8d843078030000 50 e8???????? eb1d }
// n = 5, score = 1200
// 51 | push ecx
// 8d843078030000 | lea eax, [eax + esi + 0x378]
// 50 | push eax
// e8???????? |
// eb1d | jmp 0x1f
condition:
7 of them and filesize < 573440
}
rule Ransom_Cerber {
meta:
description= "Detect the risk of Ransomware Cerber Rule 6"
strings:
$s0 = {558BEC83EC0C8B45088945FC8B4D0C89}
$s1 = {8B45AB2603A9D1CBF8490724599ADA8F}
condition:
uint16(0) == 0x5a4d and all of them
}

14
yaraRules/Ransom.Chaos.yar Normal file
View File

@@ -0,0 +1,14 @@
rule Ransom_Chaos {
meta:
description= "Detect the risk of Ransomware Chaos Rule 1"
hash1 = "08c82472215e1c5deda74584d2b685c04f4fa13c1d30cf3917f850f545bba82d"
hash2 = "a61ee15abf9142f2e3f311cf4dd54d1b2d2c7feb633c75083a8006cd0572ed29"
strings:
$s1 = "Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com" fullword wide
$s2 = "read_it.txt" fullword wide
$s3 = "<EncryptedKey>" fullword wide
$s4 = "Your computer was infected with a ransomware virus." wide
condition:
( uint16(0) == 0x5a4d and 2 of them
) or ( all of them )
}

30
yaraRules/Ransom.ChupaCabra.yar Normal file
View File

@@ -0,0 +1,30 @@
rule Ransom_ChupaCabra {
meta:
description= "Detect the risk of Ransomware ChupaCabra Rule 1"
hash1 = "213d6a4c5a5c0045550fa2b822434c51dfd1b6f573c1d1bf22d9eda4f7ab2259"
hash2 = "ce900eefb44f7e49b9c17f35caeed82d0766b71c715b89a60346c0ae19d5df78"
hash3 = "7feeee667beb4d3b5f33611dc8a2735a1b23b9c7b11fa7b71ce33ea865b6c785"
strings:
$s1 = "PasswordEncrypt" fullword ascii
$s2 = "IMPORTANT INFORMATION!!!!" fullword wide
$s3 = "\\HowToDecrypt.txt" fullword wide
$s4 = "password_aes" fullword ascii
$s5 = "\\AX754VD.tmp" fullword wide
$s6 = "http://anubiscloud.xyz/" fullword wide
$s7 = "EncryptFiles" fullword ascii
$s8 = "RidjinEncrypt" fullword ascii
$s9 = "stringa" fullword ascii
$s10 = "ransomware" fullword ascii
$s11 = "loki_decrypt" fullword ascii
$s12 = "To Decrypt: " fullword wide
$s13 = "fuWinIni" fullword ascii
$s14 = "AESDecript" fullword ascii
$s15 = "uAction" fullword ascii
$s16 = "RansomwareCrypt" fullword ascii
$s17 = "v.2.0 Reload" fullword wide
$x1 = "bitcoin_keshel" fullword ascii
$x2 = "All your files are encrypted with ChupaCabra:"
condition:
( uint16(0) == 0x5a4d and filesize < 700KB and (( 5 of ($s*) ) or (any of ($x*)))
) or ( all of them )
}

101
yaraRules/Ransom.Common.yar Normal file
View File

@@ -0,0 +1,101 @@
import "pe"
rule Win_Trojan_Ransom_Common
{
meta:
description= "Detect the risk of Ransomware Common Rule 1"
strings:
$ = { e8ecfbfeffe9933b01006a146868df4400e8373e010033ff897de4 }
$ = { 4bfeffc7455cf668ce4bc745684653b55c8b }
$ = { 60e803000000e9eb045d4555c3e801000000eb5dbbedffffff03dd81eb0000090083bd7d04000000899d7d0400000f85c00300008d858904000050ff95090f00008985810400008bf08d7d515756ff95050f0000abb000ae75fd380775ee8d457affe05669727475616c416c6c6f63005669727475616c467265650056697274 }
$ = { 60bef1e04200bf00104000e80d21fdffb956090000e8bfffffffbf00304100e8f920fdffbf00704100b9dbb20000f3a4bf00904200e8e320fdffbf00b04200e8d920fdffbe009042008b4e0ce33a5651ff1500e0420009c0742389c58b34248b7e108b0fe311575155ff1504e042005f09c07409abebeb5e83c614ebccb8ffff }
$ = { 558bec83ec4868fc598658ff156e16400085c074030145c068b17f29fcff156e16400085c075df6a0068060100006a036a006a04680000006068346c4100ff153a18400083f8ff8945ec0f858e0000006a006843e2e68a6823bf726cff158a1640002145c06a0068bf934b5c68ac01c21aff158a16400068856b4100ff15ca15 }
$ = { 683c114000e8eeffffff000000000000300000004000000000000000f7fbe694f24d754290f5240ebdff2147000000000000010000000a0d0a436f6e726948517a686a45686c003d20226a6c00000000060000001c21400007000000f81a400007000000a41a400056423521f01f2a000000000000000000000000007e000000 }
$ = { 558bec81ecd0020000c685d3fdffffc06800401a00680000001fff151c714000898540fdffff8985c4fdffff6800880200680000b800ff1538714000ff15dc704000052cda0380018540fdffff0185c4fdffff89d6c685d0fdfffff7c685d1fdfffffcc685d4fdffffc48185c4fdffff10453c808bbdc4fdffff8b078985c8fd }
$ = { 558bec6aff6848614000689836400064a100000000506489250000000083c4c05356578965e8c745fc00000000c745d000000000eb098b45d083c0018945d0817dd0102700007d1eff150c504000a39c344100833d9c3441000075086a00ff1500504000ebd06a006a006800000400ff1510504000a39c34410068631000006a }
$ = { 40bb4ee673716c686f73742e646c6c00536553687574646f776e50726976696c656765005c5c2e5c504859534943414c44524956453000005c737973332e6578650000005c737973746d2e747874000072756e61730000006675636b65642d75702d73686974 }
$ = { 6d9f2261749b30726f951b73733600c001711b74436b0e726500000000480c5072611d657345001402791b744d491c756c1b3a696c1342616d1b2900003bff4478061f6e64f321766904216e6d1322000000007453ea0d696ed10c5700b1ff4272d31e7465f8266c65e1fff001f91a7446cf2365539f0a6545ae00e90488197274a3216c4100000000a21c6f633600c0036425616470196c6536002505811269745b46696c5300 }
$ = { 686c184000e8eeffffff000000000000300000003800000000000000e320f04819417b419fb6c109d57078030000000000000100000000000084fc0062616c7a6f00fb000000000007000000e06d400007000000806d400007000000386d400007000000646b4000070000008469400007000000d465400007000000785a4000 }
$ = { 354f465457415245000000006177747761337400326b336a3468696f753233342e646c6c }
$ = { 558bec83ec0c568b3540069b006840069b006bf652ff15902496008b0d40069b003d02400080756c85c9756853578b3d9424960083e611bb04000080eb0f8bc6257f0000808d46ff83e00b03f06a0153ffd783f80675e7bfc0289600b900f0ffff8d5514528bc723c1ba5a4596006a402bd023d152506affff1518229600e8f1 }
$ = { 558bec83ec18c745ecbeffdfbdc745f4bdffdfbdc745f012000000ff45f06808834000ff15ec8540006a33ff15e08540006a33ff15e48540008d }
$ = { e8f4490000e978feffff8325a454470000e8c94a0000a3a454470033c0c3cccccccccccccccccccccccccccc558bec83ec0883e4f0dd1c24f30f7e0424e808000000c9c3660f12442404660fc5c0036625ff7f662d2038663da8080f87d7010000660f14c0660f280d10384100660f59c8f20f2dd1660f281520384100660f58 }
$ = { 558bec892d2ce70210e8020000005dc3558bec83ec20535657c745f800000000c745e4e0140010a1201001108945f468037f00006a00ff152c1001108b4df40fb61181faff000000742a8b45f40fb60883f96a741f8b55f40fb6023d8b00000074128b4df40fb61183fa55740733c0e95d010000a1201001108945e08b0d3420 }
$ = { 68b0144000e8f0ffffff000000000000300000003800000000000000e3e703383595d0499655c676fec77d3700000000000001000000000000000000417072696c000000000000000700000088274000070000001c27400007000000602540000700000018254000010004004421400000000000ffffffffffffffff00000000 }
$ = { e9d6350000e97d390000e929290000e912350000e919240000e946290000e9b6380000e9062b0000e969250000e9d6350000e975260000e9482b0000e9b1390000e9d2370000e920210000e998340000e946320000e989280000e984380000e987240000e91a340000e9fd330000cccccccccccccccccccccccccccccccccccc }
$ = { 558bec51c745fc6edd0100892d10e70310e80a0000008be55dc3cccccccccccc558bec83ec3c53c745f800000000c745e420120010a1b45000108945f4ff15bc5000108b0d14500010894dc46a00ff152050001085c0750733c0e95a0100008b1528600210c60253a128600210c64001598b0d28600210c64102538d55f852a1 }
$ = { 6874144000e8f0ffffff00000000000030000000400053656d616e006a98f07187cc384581798af4453ad8ff0000000000000100000000010000000053656d616e6173656d6153656d616e000000000006000000f06a400001000500bc4f400000000000ffffffffffffffff000000000051400094b040000000000000008f05 }
$ = { 558bec51c745fc80cc0000892d10170410e85a0100008be55dc3cccccccccccc558bec51c745fc54420800c745fc54420800c745fc54420800c745fc54420800c745fc54420800c745fc54420800c745fc54420800c745fc54420800c745fc54420800c745fc54420800c745fc54420800c745fc54420800c745fc54420800c7 }
$ = { e9641a0000e9370e0000e9ad0e0000e997040000e9e2000000e9fe150000e9040d0000e9840f0000e9cf0f0000e9ff0c0000e9b1140000e9bf170000e92a050000e9a20e0000e9b4000000e95d120000e90d100000e94f150000e94e0f0000e9b0120000e9a3110000e9400c0000e970170000e947130000cccccccccccccccc }
$ = { 8b3da82040006681e7fcffb445b0508bc8fd66f2affc8a471f502c2c720f583c55770abb02304000e9cffefffff7f10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008bff558bec83ec4853ff33ff33e89201000083c4085b83ec }
$ = { 68a400000068000000006828af4000e85c30000083c40c6800000000e855300000a32caf4000680000000068001000006800000000e842300000a328af4000e8bc2f0000b8a8a04000a330af4000e8ed720000e80d710000e89a670000e8b75f0000e85d5f0000e8cf5e0000e817560000e8f6540000e8ba4e0000e88b4a0000 }
$ = { e984140000e953090000e9630e0000e918080000e992190000e9910c0000e9c8000000e9f5100000e9c8000000e9f30f0000e982130000e941110000e9b5000000e9520b0000e964190000e91e0c0000e9490e0000e9d10a0000e91c0a0000e974090000e97e080000e99f0f0000cccccccccccccccccccccccccccccccccccc }
$ = { 689090000068000000006880894000e85c30000083c40c6800000000e855300000a384894000680000000068001000006800000000e842300000a380894000e8bc2f0000b884814000a388894000e80d550000e825530000e82c4e0000e8fe4d0000e8033a0000e831390000e8a7380000e8c5320000e8f5300000c7058c8940 }
$ = { e9d80b0000e967090000e947100000e9630f0000e922190000e9e60c0000e90a100000e9660c0000e9bc0a0000e9b9000000e952100000e9d9010000e99b090000e9f9180000e9f00e0000e97e120000e96b010000e9a20b0000e9b5010000e9740e0000e92c0a0000e9c90f0000cccccccccccccccccccccccccccccccccccc }
$ = { 50006c006500610073006500200063006f006d0070006c0065007400650020007400680065002000730075007200760065007900200074006f00200075006e006c006f0063006b00200079006f0075007200200063006f006d007000750074006500720021 }
$ = { 33f68bc681c64028400083ee6d8b4eff6a558ac58ae10fc8598bf083c08f8b444802c1e80803f08d461d8038007421b21c38107213b2c03810770dbf0030400033c00f84ccfeffff33c064892060ebf8b970000000e20083e90175f9cc000000cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc }
$ = { 33f68bc681c6????400083ee6d8b4eff6a558ac58ae10fc8598bf083c08f8b444802c1e80803f08d461d8038007421b21c38107213b2c03810770dbf0030400033c00f84a0feffff33c064892060ebf8b970000000e20083e90175f9cc000000????????????????????????????????????????????????????????????cccc }
$ = { 2bf68bc681f64428400083ee6d8b4eff6a2a8ac58ae10fc8598bf083c08f8b4488048acc03f18d461d8038007423b21c38107213b2e03810770dbf0030400033c00f84edfeffff6a00ff1534274000ebf6b972000000e20083e90175f9fa000b9090909090909090909090909090909090909090909090909090909090909090 }
$ = { 2bf68bc681f64828400083ee6d8b4eff6a2a8ac58ae10fc8598bf083c08f8b4488048acc03f18d461d8038007423b21c38107213b2e03810770dbf0030400033c00f84e5feffff6a00ff1584274000ebf6b972000000e20083e90175f9fa000b9090909090909090909090909090909090909090909090909090909090909090 }
$ = { 6818050000680000000068a8454000e81310000083c40c6800000000e812100000a3ac454000680000000068001000006800000000e8ff0f0000a3a8454000e8ec190000e8c2160000e862120000e80d110000e876100000c705b445400014000000b8201900003b05b44540007c2d8b15b8454000ff35e84c4000e8301a0000 }
$ = { 558bec83e4f883ec4c53565768f0b340006810b4400033f656ff15ba8040006a096834b440006a09685cb440006a0468000c0000ff15c68040006890b4400068f4b44000ff15be804000688100000068890000006893080000ff15c28040008d44241c894424188d450450e823390000a3ecb3400033c066a368b64000a1ecb3 }
$ = { 6aff5941be0431400083ee6d8b46ff8bf0c1e6106633f6680a12400081ee20ff000050648b19648921b0503806740383c6108d86ac000000b61a3830720eb538382877088d3d004040007eae9d6a07ff3574304000ff0c24ff242400004490909090909090909090909090909090558bec83ec3857ff37ff37ff3753e8590000 }
$ = { 6a0059be0c31400083ee6d8b46ff8bd0c1e2106633d268ad11400081ea20ff000050648b19648921803a50740383c2088d82ac000000410fb6121bca7721b61a3a30731290b6383830770b8d3d004040007ea79d6a07ff357c304000ff0c24ff2424558bec83ec3457565051ff37e86b0b000083c4145f8be55d58ffd000558b }
$ = { 558bec83e4f883ec3c53565768d0134100c7442414afdfcaffc7442418aedfcaff6820154100ff15860241006a00ff157e0241008d442424894424188d5504e825ddffffa3a4134100a1a41341008b4004a398134100a1a41341008b4008a39c134100a1a41341008b400ca3a0134100c744240c00000000a198134100a3f012 }
$ = { 5589e583ec08c7042402000000ff157c314100e8a8feffff908db42600000000558b0da031410089e55dffe18d742600558b0d9431410089e55dffe1909090905589e5b8cd100000e8bb83000083e4f0b80000000083c00f83c00fc1e804c1e004898574efffff8b8574efffffe896830000e821830000c745f400000000c745 }
$ = { 68903a4000e8f0ffffff000000000000300000003800000000000000e3ea7bd202008844807bc3fd7cc88f27000000000000010000000450e00570ed54686973497300a400000000ffcc310005ccedb412b420f04ab7ee3152698cad4e0c707228a1a79344af62505ec820fc7b3a4fad339966cf11b70c00aa0060d393000000 }
$ = { b94e0e0000558bec83ec0c81052ac4400026c4400056c745f8e3eff20d68f0744000812526c4400007c54000c745f8e4eff20dff15487140008b3577c54000be003000003bc6c7052ec44000f65400000f821200000033c040c7051bc54000672c0000e9590300005381e3de6800008b1d44714000812583c540008c76000068 }
$ = { 68883d4000e8f0ffffff000040000000300000003800000000000000334c50709658ac4c998b4fd69cf9f0b800000000000001000000000000000000614d6172650000000000000000000000000000008800000000000000020000000400000053dca641c6a8594e908b33a627d537ea0100000098000000a800000001000000 }
$ = { 68a400000068000000006898864000e8fc2f000083c40c6800000000e8f52f0000a39c864000680000000068001000006800000000e8e22f0000a398864000e8fc3f0000e8213e0000e8a23c0000e8cc390000e8f2370000ba148140008d0dd4864000e8a02f0000ba518040008d0dcc864000e8902f0000ba898040008d0da4 }
$ = { 2d0d180000558bec83ec105329150baa4500c745fc1beff20d2bc056c7052baa450011000000833d2baa4500000f8478000000833d2baa4500130f8500000000a12baa450048a32baa4500e9d6ffffff8125b7aa450000000000e90d0000008b1db7aa450043891db7aa4500833db7aa4500100f8332000000833db7aa450004 }
$ = { 81e27c730000558bec83ec100d6f2d000053c745fc1beff20d8125b61e440000000000e90d0000008b1db61e440043891db61e4400833db61e44001e0f8314000000833db61e4400210f8500000000e9d4ffffff2bd856c705661e44001b000000833d661e4400000f847d000000833d661e4400070f8500000000833d661e44 }
$ = { ff746365f6ffefffff77f6f6fff6ffefffffeffffffff6fff6ffefffffeffff6ffeffffffff6ffefffffeffffff6ffefffff546f0174735a05f6ffefffff4461490072636565656572f6fff6ffefffffefffff6e6f726973f6ffeffff6ffefffffff006f6961746765017269726524626f6df6ffefffff490075744df6ffefffff65656b6a747274f6ffeffff6ffefffffff69655372006c69f6ffefffff65637565616501576d77f6ffefffff76f6ff }
$ = { 68c0324000e8f0ffffff0000000000003000000040000000000000009718d095d178574d8c9ecfd535de51b600000000000001000000000000000000496c5f5072616e7a6f0000000000000000000000ffcc3100073c33be2f4a1ca044bf40bbcfda18d8606cb22d8bde1af244909cdd860057b93d3a4fad339966cf11b70c00 }
$ = { e874240000e916feffff558bec81ec28030000a3c0434200890dbc4342008915b8434200891db44342008935b0434200893dac434200668c15d8434200668c0dcc434200668c1da8434200668c05a4434200668c25a0434200668c2d9c4342009c8f05d04342008b4500a3c44342008b4504a3c84342008d4508a3d44342008b }
$ = { bb535b0000558bec83ec0c8125a8674000702d0000c745f8f9a6bf30c745f8f8a6bf3081056c674000352800006878634000ff1510804100a16c6440003ddbb47c7fc705f0664000376a00000f85140000008105ac674000fc674000c7056c64400000000000810d04684000f46740008d45f4811df46640008c6d00008945fc }
$ = { 6a6068f0504000e87f030000bf940000008bc7e8771000008965e88bf4893e56ff15605040008b4e10890da47340008b4604a3b07340008b56088915b47340008b760c81e6ff7f00008935a873400083f902740c81ce008000008935a8734000c1e00803c2a3ac73400033f6568b3d1c504000ffd76681384d5a751f8b483c03 }
$ = { 683110400064ff350000000064892500000000e814050000e82d050000e8fe040000e8ff040000e80605000033db891bc3ff0d283040007401c3b81f1540002dd2104000a33a3040008d053e304000506a40ff353a30400068d2104000e8060500006800304000e802050000506800304000ff353a30400068d2104000e82900 }
$ = { e583ec08c7042402000000ff152cf14300e8a8feffff908db42600000000558b0d44f1430089e55dffe18d742600558b0d38f1430089e55dffe1909090905589e55de9c7400000909090909090905589e583ec188b450c0faf450c89450cc7042404000000e8e44300008945fc8b55fc8b450c8902c7042400b04300e8ed4400 }
$ = { 83C404C9C30000000000000000000000000000000000000000000000000000000000872C24558D6C24045189E981E90010000085012D001000003D001000007DEC29C1850189E089CC8B08FF60048B45ECC3E8F7FFFFFF8B008B00C3E8EDFFFFFF50E8EBFFFFFF50E8CD00000081C408000000C38B65E8E8D6FFFFFF50E8C0000000FFFFFFFFBA124000D2124000E9B7000000 }
$ = { 740068006900730020006900730020006E006F00740020006100200058006F0072006900730074002000760061007200690061006E0074 }
$ = "vssadmin.exe delete shadows /all" nocase
$ = "vssadmin delete shadows /all" nocase
$ = "You cannot recover them without paying us some money."
$ = "The price for the recovery software is "
$ = "<h3>How to Pay</h3><p>Send"
$ = "bcdedit /set {default} recoveryenabled no"
$ = "To decrypt all the data"
$ = "wmic shadowcopy delete /nointeractive" nocase
$ = "vssadmin resize shadowstorage /for" nocase
$ = "delete catalog -quiet" fullword wide
condition:
uint16(0) == 0x5a4d and any of them
}
rule Win_MSIL_Ransom
{
meta:
description= "Detect the risk of Ransomware Common Rule 2"
strings:
$a1 = "RijndaelManaged" ascii
$a2 = "GetDirectories" ascii
$a3 = "password" ascii
$a4 = "System.IO" ascii
$a5 = "GetFiles" ascii
$a6 = "System.Security.Cryptography" fullword ascii
$a7 = "encryptDirectory" fullword ascii
$b4 = "files have been encrypted" ascii wide nocase
$b5 = "files has been encrypted" ascii wide nocase
$b6 = "EncryptFile" ascii
$c1 = ".doc" fullword ascii wide
$c2 = ".docx" fullword ascii wide
$c3 = ".xls" fullword ascii wide
$c4 = ".xlsx" fullword ascii wide
$c5 = ".ppt" fullword ascii wide
$c6 = ".pptx" fullword ascii wide
$c7 = ".html" fullword ascii wide
$d1 = "Windows" fullword ascii wide
$d2 = "Program Files (x86)" fullword ascii wide
$d3 = "GetExtension" fullword ascii wide
condition:
uint16(0) == 0x5a4d and (all of ($a*) or (2 of ($b*) and 5 of ($a*)) or (all of ($c*) and 5 of ($a*)) or (all of ($d*) and 6 of ($a*))) and pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744"
}

200
yaraRules/Ransom.Conti.yar Normal file
View File

@@ -0,0 +1,200 @@
import "pe"
rule Ransom_Conti {
meta:
description= "Detect the risk of Ransomware Conti Rule 1"
strings:
$header = "MZ" ascii
$op1 = {B6 C0 B9 54 00 00 00 2B C8 6B C1 2C 99 F7 FE 8D 42 7F 99 F7 FE 88 57 FF}
$op2 = {83 EB 01 75 DD 8B 45 FC 5F 5B 40 5E 8B E5 5D C3 8D 46 01 5E 8B E5 5D C3}
condition:
$header at 0 and filesize < 500KB and (2 of them or pe.imphash()=="c2a4becf8f921158319527ff0049fea9" or pe.imphash()=="5a02193e843512ee9c9808884c6abd23" or pe.imphash()=="39dafb68ebe9859afe79428db28af625")
}
rule win_conti_auto {
meta:
description= "Detect the risk of Ransomware Conti Rule 2"
strings:
$sequence_0 = { 85c0 750f c705????????0b000000 e9???????? }
// n = 4, score = 600
// 85c0 | test eax, eax
// 750f | jne 0x11
// c705????????0b000000 |
// e9???????? |
$sequence_1 = { 0fb6c0 2bc8 8d04c9 c1e002 }
// n = 4, score = 500
// 0fb6c0 | movzx eax, al
// 2bc8 | sub ecx, eax
// 8d04c9 | lea eax, dword ptr [ecx + ecx*8]
// c1e002 | shl eax, 2
$sequence_2 = { 03c1 03c0 99 f7fb 8d427f }
// n = 5, score = 500
// 03c1 | add eax, ecx
// 03c0 | add eax, eax
// 99 | cdq
// f7fb | idiv ebx
// 8d427f | lea eax, dword ptr [edx + 0x7f]
$sequence_3 = { 753f 53 bb0c000000 57 }
// n = 4, score = 500
// 753f | jne 0x41
// 53 | push ebx
// bb0c000000 | mov ebx, 0xc
// 57 | push edi
$sequence_4 = { 753f 53 bb0a000000 57 8d7e01 8d7375 }
// n = 6, score = 500
// 753f | jne 0x41
// 53 | push ebx
// bb0a000000 | mov ebx, 0xa
// 57 | push edi
// 8d7e01 | lea edi, dword ptr [esi + 1]
// 8d7375 | lea esi, dword ptr [ebx + 0x75]
$sequence_5 = { 803900 7533 53 56 57 }
// n = 5, score = 500
// 803900 | cmp byte ptr [ecx], 0
// 7533 | jne 0x35
// 53 | push ebx
// 56 | push esi
// 57 | push edi
$sequence_6 = { 56 8bf1 8975fc 803e00 }
// n = 4, score = 500
// 56 | push esi
// 8bf1 | mov esi, ecx
// 8975fc | mov dword ptr [ebp - 4], esi
// 803e00 | cmp byte ptr [esi], 0
$sequence_7 = { 99 f7fb 8856ff 83ef01 75df }
// n = 5, score = 500
// 99 | cdq
// f7fb | idiv ebx
// 8856ff | mov byte ptr [esi - 1], dl
// 83ef01 | sub edi, 1
// 75df | jne 0xffffffe1
$sequence_8 = { 57 6a04 6800300000 6820005000 }
// n = 4, score = 400
// 57 | push edi
// 6a04 | push 4
// 6800300000 | push 0x3000
// 6820005000 | push 0x500020
$sequence_9 = { 6a01 6810660000 ff7508 ff15???????? }
// n = 4, score = 400
// 6a01 | push 1
// 6810660000 | push 0x6610
// ff7508 | push dword ptr [ebp + 8]
// ff15???????? |
$sequence_10 = { 6800100000 68???????? ff75f8 ff15???????? 85c0 7508 6a01 }
// n = 7, score = 400
// 6800100000 | push 0x1000
// 68???????? |
// ff75f8 | push dword ptr [ebp - 8]
// ff15???????? |
// 85c0 | test eax, eax
// 7508 | jne 0xa
// 6a01 | push 1
$sequence_11 = { 6aff ff75f0 ff15???????? ff75f4 ff15???????? }
// n = 5, score = 400
// 6aff | push -1
// ff75f0 | push dword ptr [ebp - 0x10]
// ff15???????? |
// ff75f4 | push dword ptr [ebp - 0xc]
// ff15???????? |
$sequence_12 = { 85c0 750f c705????????0a000000 e9???????? }
// n = 4, score = 400
// 85c0 | test eax, eax
// 750f | jne 0x11
// c705????????0a000000 |
// e9???????? |
$sequence_13 = { ff75fc ff15???????? e9???????? 6800800000 6a00 }
// n = 5, score = 400
// ff75fc | push dword ptr [ebp - 4]
// ff15???????? |
// e9???????? |
// 6800800000 | push 0x8000
// 6a00 | push 0
$sequence_14 = { 8bce e8???????? 8bb6007d0000 85f6 75ef 6aff 6a01 }
// n = 7, score = 400
// 8bce | mov ecx, esi
// e8???????? |
// 8bb6007d0000 | mov esi, dword ptr [esi + 0x7d00]
// 85f6 | test esi, esi
// 75ef | jne 0xfffffff1
// 6aff | push -1
// 6a01 | push 1
$sequence_15 = { 7605 b800005000 6a00 8d4c2418 51 50 ff742424 }
// n = 7, score = 400
// 7605 | jbe 7
// b800005000 | mov eax, 0x500000
// 6a00 | push 0
// 8d4c2418 | lea ecx, dword ptr [esp + 0x18]
// 51 | push ecx
// 50 | push eax
// ff742424 | push dword ptr [esp + 0x24]
$sequence_16 = { 7411 a801 740d 83f001 }
// n = 4, score = 400
// 7411 | je 0x13
// a801 | test al, 1
// 740d | je 0xf
// 83f001 | xor eax, 1
$sequence_17 = { 85c0 ba0d000000 0f44ca 890d???????? }
// n = 4, score = 300
// 85c0 | test eax, eax
// ba0d000000 | mov edx, 0xd
// 0f44ca | cmove ecx, edx
// 890d???????? |
$sequence_18 = { 83c10b f7e9 c1fa02 8bc2 }
// n = 4, score = 300
// 83c10b | add ecx, 0xb
// f7e9 | imul ecx
// c1fa02 | sar edx, 2
// 8bc2 | mov eax, edx
$sequence_19 = { 83c00b 99 83c117 f7f9 }
// n = 4, score = 300
// 83c00b | add eax, 0xb
// 99 | cdq
// 83c117 | add ecx, 0x17
// f7f9 | idiv ecx
$sequence_20 = { ffd0 8b0d???????? 85c0 ba0d000000 }
// n = 4, score = 300
// ffd0 | call eax
// 8b0d???????? |
// 85c0 | test eax, eax
// ba0d000000 | mov edx, 0xd
$sequence_21 = { ffd0 85c0 750f c705????????0c000000 }
// n = 4, score = 300
// ffd0 | call eax
// 85c0 | test eax, eax
// 750f | jne 0x11
// c705????????0c000000 |
$sequence_22 = { 83c10b f7e9 03d1 c1fa06 8bc2 c1e81f }
// n = 6, score = 300
// 83c10b | add ecx, 0xb
// f7e9 | imul ecx
// 03d1 | add edx, ecx
// c1fa06 | sar edx, 6
// 8bc2 | mov eax, edx
// c1e81f | shr eax, 0x1f
condition:
7 of them and filesize < 520192
}

15
yaraRules/Ransom.Cryakl.yar Normal file
View File

@@ -0,0 +1,15 @@
rule Ransom_Cryakl {
meta:
description = "Detect the risk of Ransomeware Cryakl Rule 1"
hash1 = "735abbb3b5a1e7eeb625696c92c08ca4cfda110c1f6627524ade4f368a311bc0"
strings:
$s1 = "bin:com:exe:bat:png:bmp:dat:log:ini:dll:sys:|||QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ" ascii
$s2 = "README.txt" fullword wide
$s3 = "/Create /RU SYSTEM /SC ONCE /TN VssDataRestore /F /RL HIGHEST /TR \"vssadmin delete shadows /all /quiet\" /st 00:00" fullword ascii
$s4 = "schtasks" fullword ascii
$s5 = "/Run /tn VssDataRestore" fullword ascii
$s6 = "software\\microsoft\\windows\\currentversion\\run" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and
3 of them
}

41
yaraRules/Ransom.CryptoLocker.yar Normal file
View File

@@ -0,0 +1,41 @@
rule Ransom_CryptoLocker {
meta:
description= "Detect the risk of Ransomware CryptoLocker Rule 1"
strings:
$s1 = {558BEC83EC0C56C745F8240100008B45}
$s2 = {8B45F82DE92E00002B45F48945F48D05}
condition:
uint16(0) == 0x5a4d and all of them
}
rule Ransom_Cryptolocker_2 {
meta:
description= "Detect the risk of Ransomware CryptoLocker Rule 2"
strings:
$s1 = {8B454821E8306DCFFF63804528050000}
condition:
uint16(0) == 0x5a4d and all of them
}
rule CryptoLocker {
meta:
description= "Detect the risk of Ransomware CryptoLocker Rule 3"
strings:
$x1 = "CryptoLocker" fullword wide
$x2 = ".betarasite" fullword wide
$x3 = "CMSTPBypass" fullword ascii
$s1 = "CommandToExecute" fullword ascii
$s2 = "SetInfFile" fullword ascii
$s3 = "SchoolPrject1" ascii
$s4 = "$730d5f64-bd57-47c1-9af4-d20aec714d02" fullword ascii
$s5 = "Encrypt" fullword ascii
$s6 = "Invalide Key! Please Try Again." fullword wide
$s7 = "RegAsm" fullword wide
$s8 = "Your key will be destroyed" wide
$s9 = "encrypted using RC4 and RSA-2048" wide
$c1 = "https://coinbase.com" fullword wide
$c2 = "https://localbictoins.com" fullword wide
$c3 = "https://bitpanda.com" fullword wide
condition:
uint16(0) == 0x5a4d and (all of ($x*) or all of ($s*) or (2 of ($x*) and 5 of ($s*)) or (all of ($c*) and 1 of ($x*) and 2 of ($s*)))
}

265
yaraRules/Ransom.DarkSide.yar Normal file
View File

File diff suppressed because one or more lines are too long

29
yaraRules/Ransom.Fonix.yar Normal file
View File

@@ -0,0 +1,29 @@
rule Ransom_Fonix {
meta:
description= "Detect the risk of Ransomware Fonix Rule 1"
hash1 = "79288ff9ff7fd26aabc9b9220c98be69fc50d5962e99f313219c4b2512796d6a"
strings:
$x1 = "start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Mi" ascii
$x2 = "start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Mi" ascii
$x3 = "start cmd.exe /c \"C:\\ProgramData\\How To Decrypt Files.hta\" && exit" fullword ascii
$x4 = "start cmd.exe /c \"C:\\ProgramData\\WindowsUpdate.hta\" && exit" fullword ascii
$x5 = "reg add HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ /v \"Michael Gillespie\" /t REG_SZ /d C:\\Program" ascii
$x6 = "reg add HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\ /v \"Michael Gillespie\" /t REG_SZ /d C:\\Pro" ascii
$x7 = "start cmd.exe /c wmic shadowcopy delete " fullword ascii
$x8 = "start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures " fullword ascii
$x9 = "schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\\ProgramData\\XINOF.exe /RU SYSTEM /RL HIGHEST /F" fullword ascii
$x10 = "<!DOCTYPE html><html lang=\"en\"><head><meta charset=\"UTF - 8\" /><title>windowse update</title> <HTA:APPLICATION icon=\"#\" WI" ascii
$x11 = "C:\\Users\\Phoenix\\Downloads\\cryptopp800\\sse_simd.cpp" fullword ascii
$x12 = "C:\\Users\\Phoenix\\Downloads\\cryptopp800\\sha_simd.cpp" fullword ascii
$x13 = "C:\\Users\\Phoenix\\Downloads\\cryptopp800\\chacha_avx.cpp" fullword ascii
$x14 = "start cmd.exe /c vssadmin Delete Shadows /All /Quiet " fullword ascii
$x15 = "C:\\Users\\Phoenix\\Downloads\\cryptopp800\\rijndael_simd.cpp" fullword ascii
$x16 = "start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q" fullword ascii
$x17 = "C:\\Users\\Phoenix\\Downloads\\cryptopp800\\chacha_simd.cpp" fullword ascii
$x18 = "start cmd.exe /c bcdedit /set {default} recoveryenabled no " fullword ascii
$x19 = "schtasks /CREATE /SC ONLOGON /TN exp /TR C:\\Windows\\explorer.exe /F" fullword ascii
$x20 = "schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\\ProgramData\\XINOF.exe /F" fullword ascii
condition:
uint16(0) == 0x5a4d and
1 of ($x*)
}

101
yaraRules/Ransom.GandCrab.yar Normal file
View File

@@ -0,0 +1,101 @@
import "hash"
rule GandCrab_hash{
meta:
description= "Detect the risk of GandCrab Rule 1"
condition:
hash.sha256(0,filesize) =="49b769536224f160b6087dc866edf6445531c6136ab76b9d5079ce622b043200" or
hash.sha256(0,filesize) =="a45bd4059d804b586397f43ee95232378d519c6b8978d334e07f6047435fe926"
}
rule GandCrab {
meta:
description ="Detect the risk of GandCrab Rule 2"
hash1 = "ce9c9917b66815ec7e5009f8bfa19ef3d2dfc0cf66be0b4b99b9bebb244d6706"
strings:
$s1 = "tXujazajiyani voxazo. Wi wayepaxoli wuropiyenazizo fo. Cona leseyimucaye dupoxiyo. Nice mibehahasepa wudehukusidada garaterisovu" ascii
$s2 = "Gihepipigudi sirabuzogasoji. Sorizo sexabonera. Muyokeza niboru kikekimuxu rupo vojurotavugoyi. Yi yugose kadohajedumiya. Bedase" ascii
$s3 = " tixakehe. Reseyetasohora benusere vata kenevagume. Gedagu pegaleheruwago bukiredexuvuwa je. Yowujovu tuzudiposuxe zoyirudipu fo" ascii
$s4 = "imarijoyaneye vetuwipu. Fe. Bedopiyo comu jiye ze. Josusutime vumavizaseha. Pezofogijuxo nucosegogili bobi xayogaci. Kuyi letozo" ascii
$s5 = "**,,,," fullword ascii /* reversed goodware string ',,,,**' */
$s6 = "seyeruxiyehoxidecekajegexozaya gopegiyutusuwofobolikuhubu" fullword wide
$s7 = "Jetewavasaloge" fullword wide
$s8 = "vice zako wukewofeja vehe. Baji givihazi fuyacizogizanu. Gipayacucipi. Wetewavasa. Logeju xosidijoha ruxayo. Gorayo cicenehozogo" ascii
$s9 = "zimosafodi dusepe. Jacudagemuva falo miseyicuwatita koneyepijo. Sudotakupovete mulavifiposo xohilujusucu fususabo. Henihideya di" ascii
$s10 = "zumi gesakuki xoyefepuwahuje. Cugetutu. Nivileralu wafu jojoxaruku luraza punekuce. Dolape dubo. Jirehebeta jeda raguluyoda wohu" ascii
$s11 = "444F4,F44" fullword ascii /* hex encoded string 'DOOD' */
$s12 = "ale wufevujo kagomi haciceye. Yevaxudizera fasumatevakuvo kogumiwubo ta. Hutucozamevi jiharabeme bopobozeharu puyucite fuvukuyi." ascii
$s13 = "44,,,,,,4b" fullword ascii /* hex encoded string 'DK' */
$s14 = "jojukalo lijogagulucurukeyuroyupoheve mi" fullword wide
$s15 = "YKuluye sepuhe zi mosafodidusepe jacudagemuva falomiseyicuwa titako neyepijosu dotakupo ve" fullword wide
$s16 = "Yefepuwahuje cugetutu nivi le" fullword wide
$s17 = " yeruxiyeho xide cekajegexoza. Yagopegi. Yutu suwofo bo. Likuhubujojuka lolijogagulucu. Ru keyuro yupohevelivu dubiyuyinaxo. Dey" ascii
$s18 = "VUGOYIYIYUGOSEKADOHAJEDUMIYA" fullword wide
$s19 = "XCJSEUPAVJ" fullword wide
$s20 = "Eimnxjk" fullword ascii
$s21 = "ikernel32.dll" fullword wide
$s22 = "hulinowujovimuxatelo zabemaperetaboyazowa vituxifuyuyakixi" fullword ascii
$s23 = "Va penoyotoretunurosacidutezajogu fatixiposapapabicu boyokopusidonoyododusahehu" fullword ascii
$s24 = " Base Class Descriptor at (" fullword ascii
$s25 = "ruxayogorayocice" fullword wide
$s26 = "GDCB-DECRYPT.txt" wide
$s27 = "culico yami" fullword ascii
$s28 = "ReflectiveLoader" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and
4 of them
}
// From Malpedia
rule win_gandcrab_auto {
meta:
description ="Detect the risk of GandCrab Rule 3"
detail= "GandCrab Ransomware win_gandcrab_auto"
strings:
$sequence_0 = { ff15???????? 03c3 8d5e04 03d8 837f6000 }
$sequence_1 = { ff15???????? ff7728 8bf0 ff15???????? 03c3 8d5e04 }
$sequence_2 = { 03c3 8d5e04 03d8 837f1800 741b ff7720 ff15???????? }
$sequence_3 = { ff777c ff15???????? ff7778 8bf0 ff15???????? 03c3 }
$sequence_4 = { ff774c 8bf0 ff15???????? 03c3 8d5e04 03d8 }
$sequence_5 = { 8d5e04 03d8 837f3c00 741b ff7744 ff15???????? }
$sequence_6 = { ff772c ff15???????? ff7728 8bf0 ff15???????? 03c3 8d5e04 }
$sequence_7 = { 5f 66894c46fe 8bc6 5e 5b }
$sequence_8 = { 741b ff772c ff15???????? ff7728 8bf0 ff15???????? }
$sequence_9 = { 03c3 8d5e04 03d8 837f5400 741b ff775c ff15???????? }
condition:
any of them and filesize < 1024000
}
rule Gandcrab4
{
meta:
description ="Detect the risk of GandCrab Rule 4"
strings:
$hex1 = { 55 8B EC 83 EC ?? 53 56 ?? 3? ?? ?? ?? ?? 5? ?? }
$hex2 = { 8B 45 08 33 45 FC 89 ?1 ?C ?? ?? ?? ?? ?8 ?? ?? }
condition:
all of them and uint16(0) == 0x5A4D and filesize < 100KB
}
rule GandCrab5
{
meta:
description ="Detect the risk of GandCrab Rule 5"
strings:
$s1 = "&version=" wide ascii
$s2 = "/c timeout -c 5 & del \"%s\" /f /q" wide ascii
$s3 = "GANDCRAB" wide ascii
$t1 = "%s\\GDCB-DECRYPT.txt" wide ascii
$t2 = "%s\\KRAB-DECRYPT.txt" wide ascii
condition:
all of ($s*) and ($t1 or $t2)
}
rule Gandcrab_hash
{
meta:
description ="Detect the risk of GandCrab Rule 5"
condition:
hash.sha256(0,filesize) =="eb9207371e53414cfcb2094a2e34bd68be1a9eedbe49c4ded82b2adb8fa1d23d"
}

162
yaraRules/Ransom.Globeimposter.yar Normal file
View File

@@ -0,0 +1,162 @@
import "hash"
rule Globeimposter {
meta:
description = "Detect the risk of Ransomware Globeimposter Rule 1"
hash1 = "e478fe703e64b417ed40b35dc5063e78afc00b26b867b12e648efd94d8be59cc"
strings:
$s1 = "fistulization7.dll" fullword ascii
$s2 = "Husmandsforeningen.exe" fullword wide
$s3 = "GetPrintProcessorDirectoryA" fullword ascii
$s4 = "C:\\Program Files (x86)\\Microsoft Visual Studio\\VB98\\VB6.OLB" fullword ascii
$s5 = "AShell_NotifyIconA" fullword ascii
$s6 = "EnumPortsA" fullword ascii
$s7 = "Tittupping" fullword ascii
$s8 = "Husmandsforeningen" fullword wide
$s9 = "Slappendes" fullword ascii
$s10 = "Cosmetics" fullword ascii
$s11 = "Besindedes" fullword ascii
$s12 = "Pimpstenens" fullword ascii
$s13 = "Pneumatogenic" fullword ascii
$s14 = "Epimorphosis8" fullword ascii
$s15 = "Antistimulation4" fullword ascii
$s16 = "Crithidia3" fullword ascii
$s17 = "Teksthenvisningen5" fullword ascii
$s18 = "Unpuddled7" fullword ascii
$s19 = "Underfakturerings6" fullword ascii
$s20 = "UY3 /i" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and
8 of them
}
rule Ransomware_Globeimposter {
meta:
description = "Detect the risk of Ransomware Globeimposter Rule 2"
hash1 = "e478fe703e64b417ed40b35dc5063e78afc00b26b867b12e648efd94d8be59cc"
strings:
$s1 = "fistulization7.dll" fullword ascii
$s2 = "Husmandsforeningen.exe" fullword wide
$s3 = "GetPrintProcessorDirectoryA" fullword ascii
$s4 = "C:\\Program Files (x86)\\Microsoft Visual Studio\\VB98\\VB6.OLB" fullword ascii
$s5 = "AShell_NotifyIconA" fullword ascii
$s6 = "EnumPortsA" fullword ascii
$s7 = "Tittupping" fullword ascii
$s8 = "Husmandsforeningen" fullword wide
$s9 = "Slappendes" fullword ascii
$s10 = "Cosmetics" fullword ascii
$s11 = "Besindedes" fullword ascii
$s12 = "Pimpstenens" fullword ascii
$s13 = "Pneumatogenic" fullword ascii
$s14 = "Epimorphosis8" fullword ascii
$s15 = "Antistimulation4" fullword ascii
$s16 = "Crithidia3" fullword ascii
$s17 = "Teksthenvisningen5" fullword ascii
$s18 = "Unpuddled7" fullword ascii
$s19 = "Underfakturerings6" fullword ascii
$s20 = "UY3 /i" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and
5 of them
}
rule win_globeimposter_auto {
meta:
description = "Detect the risk of Ransomware Globeimposter Rule 3"
strings:
$sequence_0 = { 0ff4d0 0f6e6604 0ff4e0 0f6e7608 0ff4f0 0f6e7e0c }
// n = 6, score = 700
// 0ff4d0 | pmuludq mm2, mm0
// 0f6e6604 | movd mm4, dword ptr [esi + 4]
// 0ff4e0 | pmuludq mm4, mm0
// 0f6e7608 | movd mm6, dword ptr [esi + 8]
// 0ff4f0 | pmuludq mm6, mm0
// 0f6e7e0c | movd mm7, dword ptr [esi + 0xc]
$sequence_1 = { 45 8364241000 8d442410 50 6880000000 8d44241c }
// n = 6, score = 700
// 45 | inc ebp
// 8364241000 | and dword ptr [esp + 0x10], 0
// 8d442410 | lea eax, [esp + 0x10]
// 50 | push eax
// 6880000000 | push 0x80
// 8d44241c | lea eax, [esp + 0x1c]
$sequence_2 = { 43 85d2 7e18 8d4e7c 8b41fc 3b01 }
// n = 6, score = 700
// 43 | inc ebx
// 85d2 | test edx, edx
// 7e18 | jle 0x1a
// 8d4e7c | lea ecx, [esi + 0x7c]
// 8b41fc | mov eax, dword ptr [ecx - 4]
// 3b01 | cmp eax, dword ptr [ecx]
$sequence_3 = { 8b450c 99 33c2 c745f401000000 }
// n = 4, score = 700
// 8b450c | mov eax, dword ptr [ebp + 0xc]
// 99 | cdq
// 33c2 | xor eax, edx
// c745f401000000 | mov dword ptr [ebp - 0xc], 1
$sequence_4 = { 48 8bfb 2bf8 89442414 }
// n = 4, score = 700
// 48 | dec eax
// 8bfb | mov edi, ebx
// 2bf8 | sub edi, eax
// 89442414 | mov dword ptr [esp + 0x14], eax
$sequence_5 = { 5e 5b 5f 5d 83c420 c20c00 }
// n = 6, score = 700
// 5e | pop esi
// 5b | pop ebx
// 5f | pop edi
// 5d | pop ebp
// 83c420 | add esp, 0x20
// c20c00 | ret 0xc
$sequence_6 = { 7e0e 8d4678 8928 41 8d4014 3b4e6c }
// n = 6, score = 700
// 7e0e | jle 0x10
// 8d4678 | lea eax, [esi + 0x78]
// 8928 | mov dword ptr [eax], ebp
// 41 | inc ecx
// 8d4014 | lea eax, [eax + 0x14]
// 3b4e6c | cmp ecx, dword ptr [esi + 0x6c]
$sequence_7 = { 7505 6ac4 58 eb2f }
// n = 4, score = 700
// 7505 | jne 7
// 6ac4 | push -0x3c
// 58 | pop eax
// eb2f | jmp 0x31
$sequence_8 = { 8d0445ffffffff 8945f0 8d45fc 8945f8 8d45f0 50 }
// n = 6, score = 700
// 8d0445ffffffff | lea eax, [eax*2 - 1]
// 8945f0 | mov dword ptr [ebp - 0x10], eax
// 8d45fc | lea eax, [ebp - 4]
// 8945f8 | mov dword ptr [ebp - 8], eax
// 8d45f0 | lea eax, [ebp - 0x10]
// 50 | push eax
$sequence_9 = { ff15???????? 85c0 7405 3975fc 7405 6afe 58 }
// n = 7, score = 700
// ff15???????? |
// 85c0 | test eax, eax
// 7405 | je 7
// 3975fc | cmp dword ptr [ebp - 4], esi
// 7405 | je 7
// 6afe | push -2
// 58 | pop eax
condition:
7 of them and filesize < 327680
}
rule globeimposter_hash
{
meta:
description ="Detect the risk of globeimposter Rule 4"
condition:
hash.sha256(0,filesize) =="70866cee3b129918e2ace1870e66801bc25a18efd6a8c0234a63fccaee179b68" or
hash.sha256(0,filesize) =="8b6993a935c33bbc028b2c72d7b2e769ff2cd5ad35331bc4d2dcce67a0c81569"
}

30
yaraRules/Ransom.Henry217.yar Normal file
View File

@@ -0,0 +1,30 @@
import "pe"
rule henry217 {
meta:
description= "Detect the risk of Ransomware henry217 Rule 1"
hash1 = "8dd3fba314bdef96075961d8e0ee3a45d5a3030f89408d2b7f9d9fa5eedc66cd"
strings:
$s1 = "RansomeWare" ascii
$s2 = "AESEncrypt" fullword ascii
$s3 = {AE 5F 6F 8F C5 96 D1 9E}
$s4 = {59 00 6F 00 75 00 72 00 20 00 66 00 69 00 6C 00 65 00}
$s5 = {48 00 65 00 6C 00 6C 00 6F}
$o1 = {68 00 65 00 6E 00 72 00 79 00 32 00 31 00 37}
$o2 = {43 00 3A 00 5C 00 00 00 2E 00 73 00 79 00 73 00}
$pdb = {44 3A 5C D4 B4 C2 EB 5C [2-60] 2E 70 64 62}
$x1 = "RansomeWare.Form1.resources"
$x2 = "76a60872-fdf3-466a-9d80-a853c3485b32" nocase ascii wide
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and ((all of ($s*) or 1 of ($o*)) or (1 of ($s*) and $pdb) or 1 of ($x*)) and pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744"
}
rule henry217_opcode {
meta:
description= "Detect the risk of Ransomware henry217 Rule 2"
hash1 = "8dd3fba314bdef96075961d8e0ee3a45d5a3030f89408d2b7f9d9fa5eedc66cd"
strings:
$opcode1 = {1B300400A9000000020000111F208D270000010A281800000A03068E696F1900000A6F1A00000A06068E69281B00000A1F108D270000010B281800000A04078E696F1900000A6F1A00000A07078E69281B00000A140C281C00000A0D731D00000A130411040906076F1E00000A17731F00000A130511050216028E696F2000000A11056F2100000A11046F2200000A0CDE0C11052C0711056F2300000ADCDE0C11042C0711046F2300000ADCDE0526140CDE00082A00000001280000020069001D86000C00000000020057003D94000C000000000000500052A2000513000001}
$opcode2 = {1B3005004F01000003000011036F2400000A0A16}
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and (1 of them) and pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744"
}

32
yaraRules/Ransom.HiddenTear.yar Normal file
View File

@@ -0,0 +1,32 @@
rule Ransom_HiddenTear_1
{
meta:
description= "Detect the risk of Ransomware HiddenTear Rule 1"
strings:
$s1 = "computerName" fullword ascii
$s2 = "userDir" fullword ascii
$s3 = "userName" fullword ascii
$s4 = "AES_Encrypt" fullword ascii
$s5 = "CreatePassword" fullword ascii
$op1 = {72????0070 28??00000A 6F??00000A 28??00000A 6F??00000A 26}
$x1 = "7ab0dd04-43e0-4d89-be59-60a30b766467" nocase ascii wide
condition:
uint16(0) == 0x5a4d and (4 of ($s*) or any of ($op*) and $x1)
}
rule MAL_RANSOM_COVID19_Apr20_1 {
meta:
description= "Detect the risk of Ransomware HiddenTear Rule 2"
detail= "Detects ransomware distributed in COVID-19 theme"
hash1 = "2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326"
strings:
$s1 = "/savekey.php" wide
$op1 = { 3f ff ff ff ff ff 0b b4 }
$op2 = { 60 2e 2e 2e af 34 34 34 b8 34 34 34 b8 34 34 34 }
$op3 = { 1f 07 1a 37 85 05 05 36 83 05 05 36 83 05 05 34 }
condition:
uint16(0) == 0x5a4d and
filesize < 700KB and
2 of them
}

78
yaraRules/Ransom.House.yar Normal file
View File

@@ -0,0 +1,78 @@
import "hash"
rule RansomHouseRule1
{
meta:
description ="Detect the Malware of RansomHouse Rule 1, if you need help, call NSFOCUS's support team 400-8186868, please."
condition:
hash.sha256(0,filesize) =="f494629cab071bd384f7998014729d7537a9db0cf7d954b0ff74ea5235c11b1c"
}
rule RansomHouseRule2
{
meta:
description ="Detect the Malware of RansomHouse Rule 2, if you need help, call NSFOCUS's support team 400-8186868, please."
condition:
hash.sha256(0,filesize) =="f88c9366798cd5bd09bebf5b3e44f73c16825ae24dee2e89feeafe0875164348"
}
rule RansomHouseRule3{
meta:
description ="Detect the Malware of RansomHouse Rule 3, if you need help, call NSFOCUS's support team 400-8186868, please."
strings:
$s1 = "unknown error - system account operation failed" fullword ascii
$s2 = "command not found - does the file exist? do you run it like ./commandname if the file is in the same folder?" fullword ascii
$s3 = "warning - no output from process" fullword ascii
$s4 = "failed to create file to run process" fullword ascii
$s5 = "esxcli system account command not found" fullword ascii
$s6 = "failed to start process" fullword ascii
$s7 = "unknown error - operation failed" fullword ascii
$s8 = "failed to chmod file to run process" fullword ascii
$s9 = "Dear IT Department and Company Management! If you are reading this message, it means that your network infrastructure has been c" ascii
$s10 = "esxcli --formatter=csv vm process list" fullword ascii
$s11 = "process was killed by force" fullword ascii
$s12 = "rm -rf /var/log/*.log" fullword ascii
$s13 = "RunProcess" fullword ascii
$s14 = "ps | grep sshd | grep -v -e grep -e root -e 12345 | awk '{print \"kill -9\", $2}' | sh " fullword ascii
$s15 = "esxcli command not found" fullword ascii
$s16 = "esxcli --formatter=csv system account list" fullword ascii
$s17 = "esxcli --formatter=csv network ip interface ipv4 get" fullword ascii
$s18 = "Dear IT Department and Company Management! If you are reading this message, it means that your network infrastructure has been c" ascii
$s19 = "welcomeset" fullword ascii
$s20 = "ompromised. Look for 'How To Restore Your Files.txt' document for more information." fullword ascii
condition:
uint16(0) == 0x457f and filesize < 200KB and
8 of them
}
rule RansomHouseRule4{
meta:
description = "Detect the Malware of RansomHouse Rule 4, if you need help, call NSFOCUS's support team 400-8186868, please."
strings:
$s1 = "OxyKeyScout.exe" fullword wide
$s2 = "https://sectigo.com/CPS0" fullword ascii
$s3 = "https://sectigo.com/CPS0C" fullword ascii
$s4 = "N$.DlL" fullword ascii
$s5 = "3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%" fullword ascii
$s6 = "?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v" fullword ascii
$s7 = ",https://enigmaprotector.com/taggant/user.crl0" fullword ascii
$s8 = " <requestedExecutionLevel level='asInvoker' uiAccess='false' />" fullword ascii
$s9 = "(Symantec SHA256 TimeStamping Signer - G3" fullword ascii
$s10 = "(Symantec SHA256 TimeStamping Signer - G30" fullword ascii
$s11 = "http://ocsp.sectigo.com0&" fullword ascii
$s12 = "http://ocsp.sectigo.com0" fullword ascii
$s13 = "support@oxygen-forensic.com0" fullword ascii
$s14 = "2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#" fullword ascii
$s15 = "2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s" fullword ascii
$s16 = "3http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t" fullword ascii
$s17 = "+https://enigmaprotector.com/taggant/spv.crl0" fullword ascii
$s18 = "3http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#" fullword ascii
$s19 = "NNkz:\"J" fullword ascii
$s20 = "ETCkW:\\" fullword ascii
$op0 = { a4 00 0c 01 c8 d4 f2 af 34 50 c5 1b 1b 55 03 fc }
$op1 = { d3 0f 0c 01 34 0f 0c 01 }
$op2 = { 54 41 47 47 00 30 00 00 b6 1a 00 00 01 00 30 82 }
condition:
uint16(0) == 0x5a4d and filesize < 244000KB and
( 8 of them and all of ($op*) )
}

29
yaraRules/Ransom.LockBit.yar Normal file
View File

@@ -0,0 +1,29 @@
rule Ransom_Lockbit {
meta:
description= "Detect the risk of Ransomware Lockbit Rule 1"
hash1 = "717585e9605ac2a971b7c7537e6e311bab9db02ecc6451e0efada9b2ff38b474"
strings:
$x1 = "powershell.exe -Command \"Get-ADComputer -filter * -Searchbase '%s' | foreach{ Invoke-GPUpdate -computer $_.name -force -RandomD" wide
$x2 = "cmd.exe /c \"shutdown.exe /r /f /t 0\"" fullword wide
$x3 = "C:\\Windows\\System32\\taskkill.exe" fullword wide
$s4 = "\"C:\\Windows\\system32\\mshta.exe\" \"%s\"" fullword wide
$s5 = "<Exec><Command>%s</Command><Arguments>%s</Arguments></Exec>" fullword wide
$s6 = " /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 \"%s\" & Del /f /q \"%s\"" fullword wide
$s7 = "C:\\windows\\system32\\%02X%02X%02X.ico" fullword wide
$s8 = "\\??\\C:\\windows\\system32\\%02X%02X%02X.ico" fullword wide
$s9 = "%%DesktopDir%%\\%02X%02X%02X.exe" fullword wide
$s10 = "%02X%02X%02X.exe" fullword wide
$s11 = "\\Registry\\Machine\\Software\\Classes\\Lockbit\\shell\\Open\\Command" fullword wide
$s12 = "You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, " wide
$s13 = "\\\\%s\\ROOT\\CIMV2" fullword wide
$s14 = "https://tox.chat/download.html" fullword wide
$s15 = "LDAP://CN=%s,CN=Policies,CN=System,DC=%s,DC=%s" fullword wide
$s16 = "\\LockBit_Ransomware.hta" fullword wide
$s17 = "https://bigblog.at" fullword wide
$s18 = "\\NetworkShares.xml" fullword wide
$s19 = "\\Services.xml" fullword wide
$s20 = "RESTORE-MY-FILES.TXT" fullword wide
condition:
uint16(0) == 0x5a4d and
5 of them
}

185
yaraRules/Ransom.Locky.yar Normal file
View File

@@ -0,0 +1,185 @@
rule Ransom_Locky {
meta:
description= "Detect the risk of Ransomware Locky Rule 1"
hash1 = "5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e"
hash2 = "8ff979f23f8bab94ce767d4760811bde66c556c0c56b72bb839d4d277b3703ad"
strings:
$s1 = "gefas.pdb" fullword ascii
$s2 = "ggqfslmb" fullword ascii
$s3 = "gr7shadtasghdj" fullword ascii
$s4 = "ppgnui.dll" fullword ascii
$s5 = "unqxfddunlkl" fullword ascii
$s6 = "hpmeiokm" fullword ascii
$s7 = "bdkc" fullword ascii
$s8 = {47 41 41 00 63 65 73 73 68 3B 41 41 00 82 04 24}
$s9 = {41 00 68 77 41 41 00 E8}
$s10 = "sctrs.dll" fullword ascii
$s11 = {61 8D 35 2E 41 41}
$pack = {00 ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 E0 2E 64 65 63 00 00 00 00 00 00}
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and 2 of them
}
rule win_locky_auto {
meta:
description= "Detect the risk of Ransomware Locky Rule 2"
strings:
$sequence_0 = { 33c9 8d8445e8fbffff c7461407000000 50 66890e 56 8d8de8fbffff }
// n = 7, score = 2100
// 33c9 | xor ecx, ecx
// 8d8445e8fbffff | lea eax, [ebp + eax*2 - 0x418]
// c7461407000000 | mov dword ptr [esi + 0x14], 7
// 50 | push eax
// 66890e | mov word ptr [esi], cx
// 56 | push esi
// 8d8de8fbffff | lea ecx, [ebp - 0x418]
$sequence_1 = { 85c0 7528 38450c 751e ff15???????? }
// n = 5, score = 2100
// 85c0 | test eax, eax
// 7528 | jne 0x2a
// 38450c | cmp byte ptr [ebp + 0xc], al
// 751e | jne 0x20
// ff15???????? |
$sequence_2 = { 7430 3bc7 5f 732b ff75fc 83661000 }
// n = 6, score = 2100
// 7430 | je 0x32
// 3bc7 | cmp eax, edi
// 5f | pop edi
// 732b | jae 0x2d
// ff75fc | push dword ptr [ebp - 4]
// 83661000 | and dword ptr [esi + 0x10], 0
$sequence_3 = { eb02 8bce 3bc1 740e 48 ebea }
// n = 6, score = 2100
// eb02 | jmp 4
// 8bce | mov ecx, esi
// 3bc1 | cmp eax, ecx
// 740e | je 0x10
// 48 | dec eax
// ebea | jmp 0xffffffec
$sequence_4 = { 8365fc00 56 83c9ff 8bf0 }
// n = 4, score = 2100
// 8365fc00 | and dword ptr [ebp - 4], 0
// 56 | push esi
// 83c9ff | or ecx, 0xffffffff
// 8bf0 | mov esi, eax
$sequence_5 = { 33ff 8d75b8 e8???????? 57 ff15???????? cc }
// n = 6, score = 2100
// 33ff | xor edi, edi
// 8d75b8 | lea esi, [ebp - 0x48]
// e8???????? |
// 57 | push edi
// ff15???????? |
// cc | int3
$sequence_6 = { 99 5e f7fe 8bf0 81fe48922409 }
// n = 5, score = 2100
// 99 | cdq
// 5e | pop esi
// f7fe | idiv esi
// 8bf0 | mov esi, eax
// 81fe48922409 | cmp esi, 0x9249248
$sequence_7 = { c3 8b00 85c0 7407 50 ff15???????? c3 }
// n = 7, score = 2100
// c3 | ret
// 8b00 | mov eax, dword ptr [eax]
// 85c0 | test eax, eax
// 7407 | je 9
// 50 | push eax
// ff15???????? |
// c3 | ret
$sequence_8 = { 8b442408 f7e1 03d3 5b c21000 e9???????? 8bff }
// n = 7, score = 1400
// 8b442408 | mov eax, dword ptr [esp + 8]
// f7e1 | mul ecx
// 03d3 | add edx, ebx
// 5b | pop ebx
// c21000 | ret 0x10
// e9???????? |
// 8bff | mov edi, edi
$sequence_9 = { e9???????? 90 31c0 e9???????? 90 }
// n = 5, score = 700
// e9???????? |
// 90 | nop
// 31c0 | xor eax, eax
// e9???????? |
// 90 | nop
$sequence_10 = { 8d36 e9???????? 90 8d6d00 90 }
// n = 5, score = 700
// 8d36 | lea esi, [esi]
// e9???????? |
// 90 | nop
// 8d6d00 | lea ebp, [ebp]
// 90 | nop
$sequence_11 = { 31c0 90 e9???????? 8d36 90 }
// n = 5, score = 700
// 31c0 | xor eax, eax
// 90 | nop
// e9???????? |
// 8d36 | lea esi, [esi]
// 90 | nop
$sequence_12 = { 90 e9???????? 90 59 e9???????? 90 }
// n = 6, score = 700
// 90 | nop
// e9???????? |
// 90 | nop
// 59 | pop ecx
// e9???????? |
// 90 | nop
$sequence_13 = { 5e c21000 8bff 55 8bec 33c0 8b4d08 }
// n = 7, score = 700
// 5e | pop esi
// c21000 | ret 0x10
// 8bff | mov edi, edi
// 55 | push ebp
// 8bec | mov ebp, esp
// 33c0 | xor eax, eax
// 8b4d08 | mov ecx, dword ptr [ebp + 8]
$sequence_14 = { e8???????? e9???????? 8d09 e9???????? 90 }
// n = 5, score = 700
// e8???????? |
// e9???????? |
// 8d09 | lea ecx, [ecx]
// e9???????? |
// 90 | nop
$sequence_15 = { e9???????? 90 8d00 90 e9???????? 8d09 }
// n = 6, score = 700
// e9???????? |
// 90 | nop
// 8d00 | lea eax, [eax]
// 90 | nop
// e9???????? |
// 8d09 | lea ecx, [ecx]
condition:
7 of them and filesize < 1122304
}
// From ClamAV
rule Win_Ransomware_Locky
{
meta:
description= "Detect the risk of Ransomware Locky Rule 3"
strings:
$a0 = { 558bec518d45??50ff15[4]50ff15[4]85c074158b4d??83f9027c0dff7488fcff15[4]59c9c333c0c9c3 }
$a1 = { 558bec5156578d45??50ff15[4]50ff15[4]8bf085f6741b837d??027c15ff7604ff15[4]59568bf8ff15[4]eb0233ff8bc75f5ec9c3 }
$a2 = { 8d45??5068[4]c745??47657454c745??69636b43c745??6f756e74c645??00ff15[4]50ff15[4]8945??ffd0 }
$a3 = { F51A5B38A8AF95760C8CF179CB43474580A5E48E2D74EF4E56660CA4A2A1407D }
condition:
any of them
}

28
yaraRules/Ransom.MBRLocker.yar Normal file
View File

@@ -0,0 +1,28 @@
rule Ransom_MBRLocker {
meta:
description= "Detect the risk of Ransomware MBRLocker Rule 1"
strings:
$s1 = "PhysicalDrive0" nocase
$s2 = "Your disk have a lock!" nocase
$s3 = "Please input the unlock password!" nocase
$s4 = {5bc678014e0d80fd8d858fc731384f4dff01ff01ff01ff01ff01}
$s5 = {5bc678014e0d53ef4ee54e3a7a7a7684}
$s6 = "jiesuo+qq"
$s7 = "jiesuo+QQ"
$x1 = {566A0068800000006A036A006A0168000000406828645900ff15????????8B}
$x2 = "CreateFileA" fullword ascii
condition:
uint16(0) == 0x5a4d and $s1 and 3 of them
}
rule KillMBR {
meta:
description= "Detect the risk of Ransomware MBRLocker Rule 2"
strings:
$s1 = "\\\\.\\PhysicalDrive" ascii
$s2 = "/logger.php" ascii
$s3 = "Ooops! Your MBR was been rewritten" ascii
$s4 = "No, this ransomware dont encrypt your files, erases it" ascii
condition:
uint16(0) == 0x5a4d and (2 of them and #s1 > 10)
}

16
yaraRules/Ransom.Magniber.yar Normal file
View File

@@ -0,0 +1,16 @@
import "hash"
rule Magniber_hash
{
meta:
description ="Detect the risk of Magniber Rule 1"
condition:
hash.sha256(0,filesize) == "a09b48239e7aba75085e2217e13da0eb1cb8f01a2e4e08632769097e0c412b9f"
}
rule Ransom_Magniber {
meta:
description ="Detect the risk of Magniber Rule 2"
strings:
$header = {4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B0 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 01 00 ?? ?? ?? 60 00 00 00 00 00 00 00 00 F0 00 22 00 0B 02 0B 00 00 52 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 00 00 00 02 00 00 00 00 00 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 ?? 51 00 00 00 10 00 00 00 52 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 EB}
condition:
$header at 0 and filesize < 30KB
}

174
yaraRules/Ransom.Makop.yar Normal file
View File

@@ -0,0 +1,174 @@
rule RANSOM_makop
{
meta:
description= "Detect the risk of Ransomware Makop Rule 1"
hash = "008e4c327875110b96deef1dd8ef65cefa201fef60ca1cbb9ab51b5304e66fe1"
strings:
$pattern_0 = { 50 8d7c2420 e8???????? 84c0 0f84a6020000 8b742460 ba???????? }
$pattern_1 = { 51 52 53 ffd5 85c0 746d 8b4c240c }
$pattern_2 = { 7521 68000000f0 6a18 6a00 6a00 56 ff15???????? }
$pattern_3 = { 83c40c 8d4e0c 51 66c7060802 66c746041066 c6460820 }
$pattern_4 = { 51 ffd3 50 ffd7 8b4628 85c0 }
$pattern_5 = { 85c9 741e 8b4508 8b4d0c 8a11 }
$pattern_6 = { 83c002 6685c9 75f5 2bc6 d1f8 66390c46 8d3446 }
$pattern_7 = { 895a2c 8b7f04 85ff 0f85f7feffff 55 6a00 }
$pattern_8 = { 8b3d???????? 6a01 6a00 ffd7 50 ff15???????? }
$pattern_9 = { 85c0 7407 50 ff15???????? }
condition:
7 of them and
filesize < 237568
}
rule win_makop_ransomware_auto {
meta:
description= "Detect the risk of Ransomware Makop Rule 2"
strings:
$sequence_0 = { 6a04 8d542408 52 6a18 50 c744241400000000 ff15???????? }
// n = 7, score = 100
// 6a04 | push 4
// 8d542408 | lea edx, [esp + 8]
// 52 | push edx
// 6a18 | push 0x18
// 50 | push eax
// c744241400000000 | mov dword ptr [esp + 0x14], 0
// ff15???????? |
$sequence_1 = { 8d442410 e8???????? 6a00 6a00 6a00 6a00 }
// n = 6, score = 100
// 8d442410 | lea eax, [esp + 0x10]
// e8???????? |
// 6a00 | push 0
// 6a00 | push 0
// 6a00 | push 0
// 6a00 | push 0
$sequence_2 = { 7403 50 ffd6 8b442410 83f8ff 7403 }
// n = 6, score = 100
// 7403 | je 5
// 50 | push eax
// ffd6 | call esi
// 8b442410 | mov eax, dword ptr [esp + 0x10]
// 83f8ff | cmp eax, -1
// 7403 | je 5
$sequence_3 = { 57 6a2c 33db 53 ffd6 8b3d???????? }
// n = 6, score = 100
// 57 | push edi
// 6a2c | push 0x2c
// 33db | xor ebx, ebx
// 53 | push ebx
// ffd6 | call esi
// 8b3d???????? |
$sequence_4 = { 0fb74c1702 83c202 0fb7ee 2bcd 74e8 33ed 3bcd }
// n = 7, score = 100
// 0fb74c1702 | movzx ecx, word ptr [edi + edx + 2]
// 83c202 | add edx, 2
// 0fb7ee | movzx ebp, si
// 2bcd | sub ecx, ebp
// 74e8 | je 0xffffffea
// 33ed | xor ebp, ebp
// 3bcd | cmp ecx, ebp
$sequence_5 = { 7420 837c240c08 7219 8b442410 8b4c2414 50 51 }
// n = 7, score = 100
// 7420 | je 0x22
// 837c240c08 | cmp dword ptr [esp + 0xc], 8
// 7219 | jb 0x1b
// 8b442410 | mov eax, dword ptr [esp + 0x10]
// 8b4c2414 | mov ecx, dword ptr [esp + 0x14]
// 50 | push eax
// 51 | push ecx
$sequence_6 = { 85c0 751a ff15???????? 8b4c2404 51 ff15???????? 32c0 }
// n = 7, score = 100
// 85c0 | test eax, eax
// 751a | jne 0x1c
// ff15???????? |
// 8b4c2404 | mov ecx, dword ptr [esp + 4]
// 51 | push ecx
// ff15???????? |
// 32c0 | xor al, al
$sequence_7 = { 56 6a00 ffd7 50 ff15???????? 6a08 }
// n = 6, score = 100
// 56 | push esi
// 6a00 | push 0
// ffd7 | call edi
// 50 | push eax
// ff15???????? |
// 6a08 | push 8
$sequence_8 = { ffd3 50 ffd7 8b4628 85c0 741a b92c000000 }
// n = 7, score = 100
// ffd3 | call ebx
// 50 | push eax
// ffd7 | call edi
// 8b4628 | mov eax, dword ptr [esi + 0x28]
// 85c0 | test eax, eax
// 741a | je 0x1c
// b92c000000 | mov ecx, 0x2c
$sequence_9 = { 8b442418 8b542414 8bcf e8???????? 85c0 0f84db020000 8b442414 }
// n = 7, score = 100
// 8b442418 | mov eax, dword ptr [esp + 0x18]
// 8b542414 | mov edx, dword ptr [esp + 0x14]
// 8bcf | mov ecx, edi
// e8???????? |
// 85c0 | test eax, eax
// 0f84db020000 | je 0x2e1
// 8b442414 | mov eax, dword ptr [esp + 0x14]
condition:
7 of them and filesize < 107520
}
rule win_makop_ransomware_w0 {
meta:
description= "Detect the risk of Ransomware Makop Rule 3"
strings:
$str1 = "-%08X"
$str2 = "MPR.dll"
$str3 = "\\*.*" wide
$dec1 = { 8b ?? ?? 6a 08 8d ?? ?? ?? 52 8d ?? ?? ?? 50 e8 ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? ?? 83 c4 0c 66 3b c1 76 ?? 0f b7 c9 0f b7 f8 2b f9 74 ?? 57 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b d8 85 db 74 ?? 0f ?? ?? ?? ?? 03 ?? ?? 57 52 53 e8 ?? ?? ?? ?? 83 c4 0c 8d ?? ?? 55 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 74 ?? 8b ?? ?? ?? 50 53 6a 00 6a 00 89 ?? 8b ?? ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 75 ?? ff ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 04 33 c0 5f 5e 5d 5b 83 c4 0c c2 08 00}
$start = {55 8b ec 83 e4 f8 a1 ?? ?? ?? ?? 81 ec 64 02 00 00 85 c0 53 56 57 74 ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 0f ?? ?? ?? 8b ?? ?? 51 e8 ?? ?? ?? ?? 83 c4 04 84 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? 8d ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 50 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 0f ?? ?? ?? ?? ?? 8b ?? ?? 80 ?? ?? ?? 75 ?? 81 fb fa 00 00 00 72 ?? 8b ?? ?? ?? ?? ?? 8b de e8 ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? 83 c7 04 8d ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? ?? bf 05 00 00 00 eb ??}
condition:
( uint16(0) == 0x5a4d and
( 4 of them )
) or ( all of them )
}
rule Makop_Ransomware {
meta:
description= "Detect the risk of Ransomware Makop Rule 4"
hash1 = "082a2ce2dde8b3a50f2d499496879e85562ee949cb151c8052eaaa713cddd0f8"
strings:
$s1 = "MPR.dll" fullword ascii
$s2 = "-%08X" fullword ascii
$api1 = {43 72 79 70 74 47 65 6E 52 61 6E 64 6F 6D 00 00 CA 00 43 72 79 70 74 49 6D 70 6F 72 74 4B 65 79 00 00 BA 00 43 72 79 70 74 45 6E 63 72 79 70 74}
$api2 = {B7 00 43 72 79 70 74 44 65 73 74 72 6F 79 4B 65 79 00 B4 00 43 72 79 70 74 44 65 63 72 79 70 74 00 00 B1 00 43 72 79 70 74 41 63 71 75 69 72 65 43 6F 6E 74 65 78 74 57}
$api3 = {10 00 57 4E 65 74 43 6C 6F 73 65 45 6E 75 6D 00 3D 00 57 4E 65 74 4F 70 65 6E 45 6E 75 6D 57 00 1C 00 57 4E 65 74 45 6E 75 6D 52 65 73 6F 75 72 63 65 57 00 4D 50 52 2E 64 6C 6C}
condition:
uint16(0) == 0x5a4d and filesize < 200KB and
3 of them
}
rule Makop_Ransomware_2 {
meta:
description= "Detect the risk of Ransomware Makop Rule 5"
hash1 = "082a2ce2dde8b3a50f2d499496879e85562ee949cb151c8052eaaa713cddd0f8"
strings:
$s1 = "CryptSetKeyParam" fullword ascii
$s2 = "CryptImportKey" fullword ascii
$opcode1 = {8B 44 24 08 8B 0E 57 6A 00 6A 00 6A 2C 50 51 FF 15 [4] 85 C0 75 0C}
$opcode2 = {6A 00 52 6A 01 50 FF 15 [4] 85 C0}
condition:
uint16(0) == 0x5a4d and filesize < 200KB and
all of them
}

18
yaraRules/Ransom.MedusaLocker.yar Normal file
View File

@@ -0,0 +1,18 @@
rule Ransom_MedusaLocker {
meta:
description= "Detect the risk of Ransomware MedusaLocker Rule 1"
hash1 = "1e2335fef46f7320069623fff6702acb41c2877aff5fec83d94a561af37c3c7a"
strings:
$exts = ".exe,.dll,.sys,.ini,.lnk,.rdp,.encrypted,.READINSTRUCTIONS,.recoverme,.Readinstructions,.hivteam,.hiv,.386,.adv,.ani,.bat,.bin,." ascii
$process1 = "wxServer.exe,wxServerView,sqlservr.exe,sqlmangr.exe,RAgui.exe,supervise.exe,Culture.exe,RTVscan.exe,Defwatch.exe,sqlbrowser.exe," ascii
$process2 = "DtSrvr.exe,tomcat6.exe,java.exe,360se.exe,360doctor.exe,wdswfsafe.exe,fdlauncher.exe,fdhost.exe,GDscan.exe,ZhuDongFangYu.exe" fullword ascii
$delshadows = "vssadmin.exe Delete Shadows /All /Quiet" fullword wide
$s1 = "<!-- !!! dont changing this !!! -->" fullword ascii
$s2 = "\\Users\\All Users" fullword wide
$s3 = "[LOCKER] Kill processes" fullword wide
$s4 = " <!-- -->" fullword ascii
$s5 = "[LOCKER] Is already running" fullword wide
condition:
uint16(0) == 0x5a4d and
3 of them
}

189
yaraRules/Ransom.Nemty.yar Normal file
View File

File diff suppressed because one or more lines are too long

20
yaraRules/Ransom.NoCry.yar Normal file
View File

@@ -0,0 +1,20 @@
rule Ransom_NoCry {
meta:
description= "Detect the risk of Ransomware NoCry Rule 1"
hash1 = "486f2053c32ba44eb2afaf87e1ba8d8db408ef09cb7d895f3a8dc0f4081a7467"
strings:
$a1 = "https://www.google.com/search?q=how+to+buy+bitcoin"
$a2 = "C:\\Users\\ku5h2\\OneDrive\\Desktop\\NoCry Discord\\ransomeware\\obj\\Debug\\NoCry.pdb" fullword ascii
$a3 = " worth of bitcoin to this address:"
$a4 = "Ooooops All Your Files Are Encrypted ,NoCry"
$a5 = "NoCry.Form4.resources"
$a6 = "Decryption : Working * "
$a7 = "Runcount.cry"
$aop1 = {28 36 00 00 0A 00 1F FE 0A 18 0C 02 19 17 73 EE 00 00 0A 80 4E 00 00 04 19 0C 03 1A 18 73 EE 00 00 0A 80 4F 00 00}
$b1 = "EncryptOrDecryptFile" fullword ascii
$b2 = "bytKey" fullword ascii
$b3 = "MD5HASH" fullword ascii
condition:
uint16(0) == 0x5a4d and (any of ($a*) or all of ($b*))
}

273
yaraRules/Ransom.Petya.yar Normal file
View File

@@ -0,0 +1,273 @@
rule win_petya_auto {
meta:
description= "Detect the risk of Ransomware Petya Rule 1"
strings:
$sequence_0 = { 8d4e28 e8???????? 8d4e4c e8???????? }
// n = 4, score = 600
// 8d4e28 | lea ecx, [esi + 0x28]
// e8???????? |
// 8d4e4c | lea ecx, [esi + 0x4c]
// e8???????? |
$sequence_1 = { 8bc6 c1e810 88442429 8bc6 c1e808 8844242a }
// n = 6, score = 600
// 8bc6 | mov eax, esi
// c1e810 | shr eax, 0x10
// 88442429 | mov byte ptr [esp + 0x29], al
// 8bc6 | mov eax, esi
// c1e808 | shr eax, 8
// 8844242a | mov byte ptr [esp + 0x2a], al
$sequence_2 = { 0f42f2 6a04 56 e8???????? 8bd8 }
// n = 5, score = 600
// 0f42f2 | cmovb esi, edx
// 6a04 | push 4
// 56 | push esi
// e8???????? |
// 8bd8 | mov ebx, eax
$sequence_3 = { 6a04 6a20 c705????????20000000 e8???????? }
// n = 4, score = 600
// 6a04 | push 4
// 6a20 | push 0x20
// c705????????20000000 |
// e8???????? |
$sequence_4 = { 51 83c050 03c7 53 50 e8???????? }
// n = 6, score = 600
// 51 | push ecx
// 83c050 | add eax, 0x50
// 03c7 | add eax, edi
// 53 | push ebx
// 50 | push eax
// e8???????? |
$sequence_5 = { e8???????? 8d4e10 e8???????? 8d4e1c e8???????? 8d4e28 e8???????? }
// n = 7, score = 600
// e8???????? |
// 8d4e10 | lea ecx, [esi + 0x10]
// e8???????? |
// 8d4e1c | lea ecx, [esi + 0x1c]
// e8???????? |
// 8d4e28 | lea ecx, [esi + 0x28]
// e8???????? |
$sequence_6 = { c7461001000000 33c0 5e 8be5 }
// n = 4, score = 600
// c7461001000000 | mov dword ptr [esi + 0x10], 1
// 33c0 | xor eax, eax
// 5e | pop esi
// 8be5 | mov esp, ebp
$sequence_7 = { 8bda c1e60e c1e017 33ff 0bf9 c1eb09 8b4c2424 }
// n = 7, score = 600
// 8bda | mov ebx, edx
// c1e60e | shl esi, 0xe
// c1e017 | shl eax, 0x17
// 33ff | xor edi, edi
// 0bf9 | or edi, ecx
// c1eb09 | shr ebx, 9
// 8b4c2424 | mov ecx, dword ptr [esp + 0x24]
$sequence_8 = { 7617 53 33db 8b4e74 03cb }
// n = 5, score = 600
// 7617 | jbe 0x19
// 53 | push ebx
// 33db | xor ebx, ebx
// 8b4e74 | mov ecx, dword ptr [esi + 0x74]
// 03cb | add ecx, ebx
$sequence_9 = { 8d4e10 e8???????? 8d4e1c e8???????? 8d4e28 e8???????? }
// n = 6, score = 600
// 8d4e10 | lea ecx, [esi + 0x10]
// e8???????? |
// 8d4e1c | lea ecx, [esi + 0x1c]
// e8???????? |
// 8d4e28 | lea ecx, [esi + 0x28]
// e8???????? |
condition:
7 of them and filesize < 229376
}
rule win_eternal_petya_auto {
meta:
description= "Detect the risk of Ransomware Petya Rule 2"
strings:
$sequence_0 = { 8bec 51 57 68000000f0 }
// n = 4, score = 400
// 8bec | mov ebp, esp
// 51 | push ecx
// 57 | push edi
// 68000000f0 | push 0xf0000000
$sequence_1 = { 68f0000000 6a40 ff15???????? 8bd8 }
// n = 4, score = 400
// 68f0000000 | push 0xf0
// 6a40 | push 0x40
// ff15???????? |
// 8bd8 | mov ebx, eax
$sequence_2 = { 57 68000000f0 6a18 33ff }
// n = 4, score = 400
// 57 | push edi
// 68000000f0 | push 0xf0000000
// 6a18 | push 0x18
// 33ff | xor edi, edi
$sequence_3 = { 53 8d4644 50 53 6a02 }
// n = 5, score = 400
// 53 | push ebx
// 8d4644 | lea eax, [esi + 0x44]
// 50 | push eax
// 53 | push ebx
// 6a02 | push 2
$sequence_4 = { 40 49 75f9 56 ff15???????? }
// n = 5, score = 400
// 40 | inc eax
// 49 | dec ecx
// 75f9 | jne 0xfffffffb
// 56 | push esi
// ff15???????? |
$sequence_5 = { 53 6a21 8d460c 50 }
// n = 4, score = 400
// 53 | push ebx
// 6a21 | push 0x21
// 8d460c | lea eax, [esi + 0xc]
// 50 | push eax
$sequence_6 = { 50 8d8594f9ffff 50 894dac }
// n = 4, score = 300
// 50 | push eax
// 8d8594f9ffff | lea eax, [ebp - 0x66c]
// 50 | push eax
// 894dac | mov dword ptr [ebp - 0x54], ecx
$sequence_7 = { ff75f8 8945fc ff15???????? 56 56 6a02 56 }
// n = 7, score = 300
// ff75f8 | push dword ptr [ebp - 8]
// 8945fc | mov dword ptr [ebp - 4], eax
// ff15???????? |
// 56 | push esi
// 56 | push esi
// 6a02 | push 2
// 56 | push esi
$sequence_8 = { ff7608 03c1 50 ff15???????? }
// n = 4, score = 300
// ff7608 | push dword ptr [esi + 8]
// 03c1 | add eax, ecx
// 50 | push eax
// ff15???????? |
$sequence_9 = { 0fb7044a 6685c0 7412 0fb7444584 66890c47 0fb7044a 66ff444584 }
// n = 7, score = 300
// 0fb7044a | movzx eax, word ptr [edx + ecx*2]
// 6685c0 | test ax, ax
// 7412 | je 0x14
// 0fb7444584 | movzx eax, word ptr [ebp + eax*2 - 0x7c]
// 66890c47 | mov word ptr [edi + eax*2], cx
// 0fb7044a | movzx eax, word ptr [edx + ecx*2]
// 66ff444584 | inc word ptr [ebp + eax*2 - 0x7c]
$sequence_10 = { 83e001 89412c 8b4320 c7403001000000 }
// n = 4, score = 300
// 83e001 | and eax, 1
// 89412c | mov dword ptr [ecx + 0x2c], eax
// 8b4320 | mov eax, dword ptr [ebx + 0x20]
// c7403001000000 | mov dword ptr [eax + 0x30], 1
$sequence_11 = { 8b4d0c 0fb71441 8955f0 3bd3 0f862fffffff 8b45cc }
// n = 6, score = 300
// 8b4d0c | mov ecx, dword ptr [ebp + 0xc]
// 0fb71441 | movzx edx, word ptr [ecx + eax*2]
// 8955f0 | mov dword ptr [ebp - 0x10], edx
// 3bd3 | cmp edx, ebx
// 0f862fffffff | jbe 0xffffff35
// 8b45cc | mov eax, dword ptr [ebp - 0x34]
$sequence_12 = { 2bc1 d1f8 8d440002 50 6a08 ffd6 50 }
// n = 7, score = 300
// 2bc1 | sub eax, ecx
// d1f8 | sar eax, 1
// 8d440002 | lea eax, [eax + eax + 2]
// 50 | push eax
// 6a08 | push 8
// ffd6 | call esi
// 50 | push eax
$sequence_13 = { 83e001 894304 8bc2 83e003 83e800 }
// n = 5, score = 300
// 83e001 | and eax, 1
// 894304 | mov dword ptr [ebx + 4], eax
// 8bc2 | mov eax, edx
// 83e003 | and eax, 3
// 83e800 | sub eax, 0
$sequence_14 = { 75f5 2bcf d1f9 8d1409 8bce 85d2 }
// n = 6, score = 200
// 75f5 | jne 0xfffffff7
// 2bcf | sub ecx, edi
// d1f9 | sar ecx, 1
// 8d1409 | lea edx, [ecx + ecx]
// 8bce | mov ecx, esi
// 85d2 | test edx, edx
$sequence_15 = { 50 ffd6 85c0 0f8480000000 8b95f4fdffff 8d8df8fdffff }
// n = 6, score = 200
// 50 | push eax
// ffd6 | call esi
// 85c0 | test eax, eax
// 0f8480000000 | je 0x86
// 8b95f4fdffff | mov edx, dword ptr [ebp - 0x20c]
// 8d8df8fdffff | lea ecx, [ebp - 0x208]
condition:
7 of them and filesize < 851968
}
rule win_eternal_petya_w0 {
meta:
description= "Detect the risk of Ransomware Petya Rule 3"
strings:
$encrypt_file = { 55 8B EC 83 EC ?? 53 56 57 8B 7D ?? 8B 4F ?? 33 DB 8D 45 ?? 50 53 53 51 89 5D ?? 89 5D ?? 89 5D ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 55 ?? 53 53 6A ?? 53 53 68 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 8D 4D ?? 51 57 8B CE E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 39 5D ?? 0F 84 ?? ?? ?? ?? 39 5D ?? 0F 84 ?? ?? ?? ?? 8D 55 ?? 52 56 FF 15 ?? ?? ?? ?? 8B 4F ?? 8B 45 ?? 83 C1 ?? 2B C1 19 5D ?? 89 45 ?? 89 5D ?? 78 ?? 7F ?? 3D ?? ?? ?? ?? 76 ?? B8 ?? ?? ?? ?? EB ?? C7 45 ?? ?? ?? ?? ?? 53 50 53 6A ?? 53 8B F8 56 89 45 ?? 89 7D ?? FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 ?? 8B 55 ?? 52 6A ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ?? 8B F8 85 FF 74 ?? 8B 4D ?? 8B 55 ?? 8D 45 ?? 50 57 6A ?? 51 6A ?? 52 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 45 ?? 50 57 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 57 FF 15 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B 7D ?? 8B 45 ?? 3B C7 73 ?? 2B F8 EB ?? 33 FF 8B 55 ?? 8B 42 ?? 8D 4C 38 ?? 6A ?? 51 E8 ?? ?? ?? ?? 8B 7D ?? 83 C4 ?? 33 DB 56 FF 15 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 39 5D ?? 74 ?? 39 5D ?? 75 ?? 8B 47 ?? 8B 35 ?? ?? ?? ?? 50 FF D6 8B 7F ?? 3B FB 74 ?? 57 FF D6 5F 5E 5B 8B E5 5D C3 }
$main_encrypt = { 55 8B EC 56 6A ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B 75 ?? 89 46 ?? 85 C0 0F 84 ?? ?? ?? ?? 53 8B 1D ?? ?? ?? ?? 57 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 7E ?? 57 FF D3 85 C0 75 ?? FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 ?? 6A ?? 6A ?? 6A ?? 6A ?? 57 FF D3 85 C0 74 ?? 8B 07 8D 5E ?? 53 50 8B 46 ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8B C6 E8 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 56 8D 4E ?? 6A ?? 51 E8 ?? ?? ?? ?? 8B 56 ?? 83 C4 ?? 52 FF 15 ?? ?? ?? ?? 8B 46 ?? 50 FF 15 ?? ?? ?? ?? 8B 0B 51 FF 15 ?? ?? ?? ?? 8B 17 6A ?? 52 FF 15 ?? ?? ?? ?? 8B 46 ?? 50 FF 15 ?? ?? ?? ?? 5F 5B B9 ?? ?? ?? ?? 8D 46 ?? 8B FF C6 00 ?? 40 49 75 ?? 56 FF 15 ?? ?? ?? ?? 33 C0 5E 5D C2 ?? ?? }
$encryption_loop = { 8B 7C 24 ?? 6A ?? 6A ?? 8D 43 ?? 50 33 C0 39 43 ?? 0F 95 C0 40 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 44 24 ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 44 24 ?? 8D 64 24 ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 4C 24 ?? 51 57 8D 94 24 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 44 24 ?? A8 ?? 74 ?? A9 ?? ?? ?? ?? 75 ?? 8D BC 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 45 ?? 53 48 50 8B CF 51 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 8D 54 24 ?? 52 FF 15 ?? ?? ?? ?? 8D 4C 24 ?? 8D 71 ?? 90 66 8B 11 83 C1 ?? 66 85 D2 75 ?? 2B CE D1 F9 8D 4C 4C ?? 3B C1 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8D 94 24 ?? ?? ?? ?? 53 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 74 24 ?? 8D 44 24 ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ??}
condition:
$encrypt_file and $main_encrypt and $encryption_loop
}
rule Petya_Ransomware {
meta:
description= "Detect the risk of Ransomware Petya Rule 4"
hash = "26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739"
strings:
$a1 = "<description>WinRAR SFX module</description>" fullword ascii
$s1 = "BX-Proxy-Manual-Auth" fullword wide
$s2 = "<!--The ID below indicates application support for Windows 10 -->" fullword ascii
$s3 = "X-HTTP-Attempts" fullword wide
$s4 = "@CommandLineMode" fullword wide
$s5 = "X-Retry-After" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 500KB and $a1 and 3 of ($s*)
}
rule Ransom_Petya {
meta:
description= "Detect the risk of Ransomware Petya Rule 5"
strings:
$a1 = { C1 C8 14 2B F0 03 F0 2B F0 03 F0 C1 C0 14 03 C2 }
$a2 = { 46 F7 D8 81 EA 5A 93 F0 12 F7 DF C1 CB 10 81 F6 }
$a3 = { 0C 88 B9 07 87 C6 C1 C3 01 03 C5 48 81 C3 A3 01 00 00 }
condition:
all of them
}

113
yaraRules/Ransom.Phobos.yar Normal file
View File

@@ -0,0 +1,113 @@
rule MALWARE_Win_Phobos {
meta:
description = "Detect the risk of Ransomware Phobos Rule 1"
strings:
$x1 = "\\\\?\\UNC\\\\\\e-" fullword wide
$x2 = "\\\\?\\ :" fullword wide
$x3 = "POST" fullword wide
$s1 = "ELVL" fullword wide
$s2 = /SUP\d{3}/ fullword wide
$s3 = { 41 31 47 ?? 41 2b }
condition:
uint16(0) == 0x5a4d and all of ($x*) and 1 of ($s*)
}
rule win_phobos_auto {
meta:
description = "Detect the risk of Ransomware Phobos Rule 2"
strings:
$sequence_0 = { 57 ff15???????? 8906 3bc7 7427 57 ff36 }
// n = 7, score = 100
// 57 | push edi
// ff15???????? |
// 8906 | mov dword ptr [esi], eax
// 3bc7 | cmp eax, edi
// 7427 | je 0x29
// 57 | push edi
// ff36 | push dword ptr [esi]
$sequence_1 = { 59 6a14 8d4304 50 57 e8???????? }
// n = 6, score = 100
// 59 | pop ecx
// 6a14 | push 0x14
// 8d4304 | lea eax, [ebx + 4]
// 50 | push eax
// 57 | push edi
// e8???????? |
$sequence_2 = { ff7508 ffd0 ff75f8 57 e8???????? 59 }
// n = 6, score = 100
// ff7508 | push dword ptr [ebp + 8]
// ffd0 | call eax
// ff75f8 | push dword ptr [ebp - 8]
// 57 | push edi
// e8???????? |
// 59 | pop ecx
$sequence_3 = { 0f85b3000000 57 8d44242c 50 be08020000 56 }
// n = 6, score = 100
// 0f85b3000000 | jne 0xb9
// 57 | push edi
// 8d44242c | lea eax, [esp + 0x2c]
// 50 | push eax
// be08020000 | mov esi, 0x208
// 56 | push esi
$sequence_4 = { 8945e4 85c0 0f84c2000000 bf???????? be04010000 }
// n = 5, score = 100
// 8945e4 | mov dword ptr [ebp - 0x1c], eax
// 85c0 | test eax, eax
// 0f84c2000000 | je 0xc8
// bf???????? |
// be04010000 | mov esi, 0x104
$sequence_5 = { 8b450c 83c414 85c0 7408 8b0e 8b4c3908 }
// n = 6, score = 100
// 8b450c | mov eax, dword ptr [ebp + 0xc]
// 83c414 | add esp, 0x14
// 85c0 | test eax, eax
// 7408 | je 0xa
// 8b0e | mov ecx, dword ptr [esi]
// 8b4c3908 | mov ecx, dword ptr [ecx + edi + 8]
$sequence_6 = { eb05 ff74bc3c 4f ff15???????? 3bfb 75f1 }
// n = 6, score = 100
// eb05 | jmp 7
// ff74bc3c | push dword ptr [esp + edi*4 + 0x3c]
// 4f | dec edi
// ff15???????? |
// 3bfb | cmp edi, ebx
// 75f1 | jne 0xfffffff3
$sequence_7 = { 333c95d0b14000 8b55fc c1ea08 c1eb10 23d0 8b1495d0ad4000 23d8 }
// n = 7, score = 100
// 333c95d0b14000 | xor edi, dword ptr [edx*4 + 0x40b1d0]
// 8b55fc | mov edx, dword ptr [ebp - 4]
// c1ea08 | shr edx, 8
// c1eb10 | shr ebx, 0x10
// 23d0 | and edx, eax
// 8b1495d0ad4000 | mov edx, dword ptr [edx*4 + 0x40add0]
// 23d8 | and ebx, eax
$sequence_8 = { e8???????? be???????? 8d7c2428 a5 a5 a5 }
// n = 6, score = 100
// e8???????? |
// be???????? |
// 8d7c2428 | lea edi, [esp + 0x28]
// a5 | movsd dword ptr es:[edi], dword ptr [esi]
// a5 | movsd dword ptr es:[edi], dword ptr [esi]
// a5 | movsd dword ptr es:[edi], dword ptr [esi]
$sequence_9 = { 7703 83c020 c3 55 8bec 57 ff7508 }
// n = 7, score = 100
// 7703 | ja 5
// 83c020 | add eax, 0x20
// c3 | ret
// 55 | push ebp
// 8bec | mov ebp, esp
// 57 | push edi
// ff7508 | push dword ptr [ebp + 8]
condition:
7 of them and filesize < 139264
}

12
yaraRules/Ransom.Povlsomware.yar Normal file
View File

@@ -0,0 +1,12 @@
rule Ransom_Povlsomware {
meta:
description= "Detect the risk of Ransomware Povlsomware Rule 1"
strings:
$Guid = {00002901002466653064356161372D353338662D343266362D396563652D623134313536306637373831}
$op1 = {0316326505D00?00000228?700000A28?800000AA50?0000020A067B??0000041F5C2E3E067B??0000041F5B2E34067B??0000041F09330E02067B??00000428??0000062D1C067B??0000041F1B331928?900000A20000002005F200000020033071728?A00000A2A027B0?00000403040528??0000062A}
$s1 = "Decrypting... Please wait" fullword wide
$s2 = "Please decrypt them!" fullword wide
condition:
uint16(0) == 0x5a4d and
any of them
}

16
yaraRules/Ransom.QNAPCrypt.yar Normal file
View File

@@ -0,0 +1,16 @@
rule Ransom_QNAPCrypt {
meta:
description= "Detect the risk of Ransomware QNAPCrypt Rule 1"
hash1 = "039a997681655004aed1cc4c6ee24bf112d79e4f3b823ccae96b4a32c5ed1b4c"
hash2 = "0b851832f9383df7739cd28ccdfd59925e9af7203b035711a7d96bba34a9eb04"
hash3 = "19448f9aa1fe6c07d52abc59d1657a7381cfdb4a4fa541279097cc9e9412964b"
hash4 = "2fe577fd9c77d3bebdcf9bfc6416c3f9a12755964a8098744519709daf2b09ce"
hash5 = "36cfb1a7c971041c9483e4f4e092372c9c1ab792cd9de7b821718ccd0dbb09c1"
strings:
$s1 = "1st.3ds.3fr.4db.4dd.602.a4p.a5w.abf.abw.act.adr.aep.aes.aex.aim.alx.ans.apk.apt.arj" ascii
$s2 = ".arw.asa.asc.ase.asp.asr.att.aty.awm.awp.awt.aww.axd.bak.bar.bat.bay.bc6.bc7.big.bik.bin.bit.bkf.bkp.bml.bok.bpw.bsa.bwp.bz2.c++" ascii
$s3 = ".swz.sxc.t12.t13.tar.tax.tbl.tbz.tcl.tgz.tib.tif.tor.tpl.txt.ucf.upk.url.vbd.vbo.vbs.vcf.vdf.vdi.vdw.vlp.vlx.vmx.vpk.vrt.vtf.w3x" ascii
$s4 = "README_FOR_DECRYPT.txt" ascii
condition:
uint16(0) == 0x457f and any of them
}

12
yaraRules/Ransom.Sarbloh.yar Normal file
View File

@@ -0,0 +1,12 @@
rule Ransom_Sarbloh
{
meta:
description= "Detect the risk of Ransomware Sarbloh Rule 1"
strings:
$note_path = {25005500530045005200500052004F00460049004C00450025000000250073005C004400650073006B0074006F0070005C0052004500410044004D0045005F0053004100520042004C004F0048002E007400780074}
$key_end = {410067004D0042004100410045003D002D002D002D002D002D0045004E00440020005000550042004C004900430020004B00450059002D002D002D002D002D00}
$key_start = {4B00450059002D002D002D002D002D004D004900490042004900540041004E00420067006B007100}
$note = {59004F00550052002000460049004C00450053002000410052004500200047004F004E0045002100210021}
condition:
uint16(0) == 0x5a4d and any of them
}

26
yaraRules/Ransom.Satana.yar Normal file
View File

@@ -0,0 +1,26 @@
rule Ransom_Satana
{
meta:
description = "Detect the risk of Ransomware Satana Rule 1"
strings:
$a = { 21 00 73 00 61 00 74 00 61 00 6E 00 61 00 21 00 2E 00 74 00 78 00 74 00 00 }
$b = { 74 67 77 79 75 67 77 71 }
$c = { 53 77 76 77 6E 67 75 }
$d = { 45 6E 75 6D 4C 6F 63 61 6C 52 65 73 }
$e = { 57 4E 65 74 4F 70 65 6E 45 6E 75 6D 57 00 }
$f = { 21 53 41 54 41 4E 41 21 }
condition:
$b or $c and $d and $a and $e and $f
}
rule Ransom_Satana_Dropper
{
meta:
description = "Detect the risk of Ransomware Satana Rule 2"
strings:
$a = { 25 73 2D 54 72 79 45 78 63 65 70 74 }
$b = { 64 3A 5C 6C 62 65 74 77 6D 77 79 5C 75 69 6A 65 75 71 70 6C 66 77 75 62 2E 70 64 62 }
$c = { 71 66 6E 74 76 74 68 62 }
condition:
all of them
}

13
yaraRules/Ransom.ScreenLocker.yar Normal file
View File

@@ -0,0 +1,13 @@
rule Ransom_ScreenLocker_Aug_3 {
meta:
description= "Detect the risk of Ransomware ScreenLocker Rule 1"
hash1 = "71ec3df35bf0acdf1d7071fd15a8727da8eaff1a98f3e236e52290b92217c198"
strings:
$s1 = "get_ransomware" fullword ascii
$s2 = "Ransomware" fullword ascii
$s3 = "Zakazane" fullword ascii
$Guid = "$d7a38334-313b-439e-a139-e7d2c97556c7" fullword ascii
condition:
uint16(0) == 0x5a4d and
(all of ($s*) or $Guid)
}

435
yaraRules/Ransom.Sodinokibi.yar Normal file
View File

@@ -0,0 +1,435 @@
import "pe"
import "hash"
rule Sodinokibi_Loader{
meta:
description = "Detect the risk of Ransomware Sodinokibi Rule 1"
maltype = "Ransomware"
strings:
$string1 = "function Invoke-" nocase
$string2 = "$ForceASLR" nocase
$string3 = "$DoNotZeroMZ" nocase
$string4 = "$RemoteScriptBlock" nocase
$string5 = "$TypeBuilder" nocase
$string6 = "$Win32Constants" nocase
$string7 = "$OpenProcess" nocase
$string8 = "$WaitForSingleObject" nocase
$string9 = "$WriteProcessMemory" nocase
$string10 = "$ReadProcessMemory" nocase
$string11 = "$CreateRemoteThread" nocase
$string12 = "$OpenThreadToken" nocase
$string13 = "$AdjustTokenPrivileges" nocase
$string14 = "$LookupPrivilegeValue" nocase
$string15 = "$ImpersonateSelf" nocase
$string16 = "-SignedIntAsUnsigned" nocase
$string17 = "Get-Win32Types" nocase
$string18 = "Get-Win32Functions" nocase
$string19 = "Write-BytesToMemory" nocase
$string20 = "Get-ProcAddress" nocase
$string21 = "Enable-SeDebugPrivilege" nocase
$string22 = "Get-ImageNtHeaders" nocase
$string23 = "Get-PEBasicInfo" nocase
$string24 = "Get-PEDetailedInfo" nocase
$string25 = "Import-DllInRemoteProcess" nocase
$string26 = "Get-RemoteProcAddress" nocase
$string27 = "Update-MemoryAddresses" nocase
$string28 = "Import-DllImports" nocase
$string29 = "Get-VirtualProtectValue" nocase
$string30 = "Update-MemoryProtectionFlags" nocase
$string31 = "Update-ExeFunctions" nocase
$string32 = "Copy-ArrayOfMemAddresses" nocase
$string33 = "Get-MemoryProcAddress" nocase
$string34 = "Invoke-MemoryLoadLibrary" nocase
$string35 = "Invoke-MemoryFreeLibrary" nocase
$string36 = "$PEBytes32" nocase
$string37 = "TVqQAA"
$string38 = "FromBase64String" nocase
condition:
uint16(0) == 0x5a4d and 30 of ($string*)
}
rule ransomware_sodinokibi {
meta:
description = "Detect the risk of Ransomware Sodinokibi Rule 2"
detail = "Using a recently disclosed vulnerability in Oracle WebLogic, criminals use it to install a new variant of ransomware called “Sodinokibi"
hash4 = "9b62f917afa1c1a61e3be0978c8692dac797dd67ce0e5fd2305cc7c6b5fef392"
strings:
$x1 = "sodinokibi.exe" fullword wide
$y0 = { 8d 85 6c ff ff ff 50 53 50 e8 62 82 00 00 83 c4 }
$y1 = { e8 24 ea ff ff ff 75 08 8b ce e8 61 fc ff ff 8b }
$y2 = { e8 01 64 ff ff ff b6 b0 }
condition:
( uint16(0) == 0x5a4d and
filesize < 900KB and
pe.imphash() == "672b84df309666b9d7d2bc8cc058e4c2" and
( 8 of them ) and
all of ($y*)) or
( all of them )
}
rule Sodinokobi
{
meta:
description = "Detect the risk of Ransomware Sodinokibi Rule 3"
detail = "This rule detect Sodinokobi Ransomware in memory in old samples and perhaps future."
strings:
$a = { 40 0F B6 C8 89 4D FC 8A 94 0D FC FE FF FF 0F B6 C2 03 C6 0F B6 F0 8A 84 35 FC FE FF FF 88 84 0D FC FE FF FF 88 94 35 FC FE FF FF 0F B6 8C 0D FC FE FF FF }
$b = { 0F B6 C2 03 C8 8B 45 14 0F B6 C9 8A 8C 0D FC FE FF FF 32 0C 07 88 08 40 89 45 14 8B 45 FC 83 EB 01 75 AA }
condition:
all of them
}
rule win_revil_auto {
meta:
description = "Detect the risk of Ransomware Sodinokibi Rule 4"
strings:
$sequence_0 = { 8bb694000000 0fa4da0f c1e911 0bc2 c1e30f 8b5508 0bcb }
// n = 7, score = 4200
// 8bb694000000 | mov esi, dword ptr [esi + 0x94]
// 0fa4da0f | shld edx, ebx, 0xf
// c1e911 | shr ecx, 0x11
// 0bc2 | or eax, edx
// c1e30f | shl ebx, 0xf
// 8b5508 | mov edx, dword ptr [ebp + 8]
// 0bcb | or ecx, ebx
$sequence_1 = { 2345e4 33c7 898bb8000000 8b4de0 8983bc000000 f7d1 }
// n = 6, score = 4200
// 2345e4 | and eax, dword ptr [ebp - 0x1c]
// 33c7 | xor eax, edi
// 898bb8000000 | mov dword ptr [ebx + 0xb8], ecx
// 8b4de0 | mov ecx, dword ptr [ebp - 0x20]
// 8983bc000000 | mov dword ptr [ebx + 0xbc], eax
// f7d1 | not ecx
$sequence_2 = { 8b9f90000000 8bb788000000 8b978c000000 8945e0 8b477c 8945e4 8b8784000000 }
// n = 7, score = 4200
// 8b9f90000000 | mov ebx, dword ptr [edi + 0x90]
// 8bb788000000 | mov esi, dword ptr [edi + 0x88]
// 8b978c000000 | mov edx, dword ptr [edi + 0x8c]
// 8945e0 | mov dword ptr [ebp - 0x20], eax
// 8b477c | mov eax, dword ptr [edi + 0x7c]
// 8945e4 | mov dword ptr [ebp - 0x1c], eax
// 8b8784000000 | mov eax, dword ptr [edi + 0x84]
$sequence_3 = { 50 51 e8???????? 894608 59 59 85c0 }
// n = 7, score = 4200
// 50 | push eax
// 51 | push ecx
// e8???????? |
// 894608 | mov dword ptr [esi + 8], eax
// 59 | pop ecx
// 59 | pop ecx
// 85c0 | test eax, eax
$sequence_4 = { 6802020000 e8???????? 8bf0 59 }
// n = 4, score = 4200
// 6802020000 | push 0x202
// e8???????? |
// 8bf0 | mov esi, eax
// 59 | pop ecx
$sequence_5 = { 55 8bec 83ec10 8d45f0 50 6a0c }
// n = 6, score = 4200
// 55 | push ebp
// 8bec | mov ebp, esp
// 83ec10 | sub esp, 0x10
// 8d45f0 | lea eax, [ebp - 0x10]
// 50 | push eax
// 6a0c | push 0xc
$sequence_6 = { 897df8 83f803 7cca 8b4508 5f 5e }
// n = 6, score = 4200
// 897df8 | mov dword ptr [ebp - 8], edi
// 83f803 | cmp eax, 3
// 7cca | jl 0xffffffcc
// 8b4508 | mov eax, dword ptr [ebp + 8]
// 5f | pop edi
// 5e | pop esi
$sequence_7 = { 57 8b7d0c 6685c9 742e 0fb71f 8bd7 6685db }
// n = 7, score = 4200
// 57 | push edi
// 8b7d0c | mov edi, dword ptr [ebp + 0xc]
// 6685c9 | test cx, cx
// 742e | je 0x30
// 0fb71f | movzx ebx, word ptr [edi]
// 8bd7 | mov edx, edi
// 6685db | test bx, bx
$sequence_8 = { 56 57 8b7d08 33f6 397708 7621 8b470c }
// n = 7, score = 4200
// 56 | push esi
// 57 | push edi
// 8b7d08 | mov edi, dword ptr [ebp + 8]
// 33f6 | xor esi, esi
// 397708 | cmp dword ptr [edi + 8], esi
// 7621 | jbe 0x23
// 8b470c | mov eax, dword ptr [edi + 0xc]
$sequence_9 = { ebca 6b45fc0c 8b4d0c 52 ff540808 59 85c0 }
// n = 7, score = 4200
// ebca | jmp 0xffffffcc
// 6b45fc0c | imul eax, dword ptr [ebp - 4], 0xc
// 8b4d0c | mov ecx, dword ptr [ebp + 0xc]
// 52 | push edx
// ff540808 | call dword ptr [eax + ecx + 8]
// 59 | pop ecx
// 85c0 | test eax, eax
condition:
7 of them and filesize < 155794432
}
rule MAL_RANSOM_REvil_Oct20_1 {
meta:
description = "Detect the risk of Ransomware Sodinokibi Rule 4"
detail = "Detects REvil/Sodinokibi ransomware"
hash1 = "5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4"
hash2 = "f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5"
hash3 = "f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d"
hash4 = "fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501"
strings:
$op1 = { 0f 8c 74 ff ff ff 33 c0 5f 5e 5b 8b e5 5d c3 8b }
$op2 = { 8d 85 68 ff ff ff 50 e8 2a fe ff ff 8d 85 68 ff }
$op3 = { 89 4d f4 8b 4e 0c 33 4e 34 33 4e 5c 33 8e 84 }
$op4 = { 8d 85 68 ff ff ff 50 e8 05 06 00 00 8d 85 68 ff }
$op5 = { 8d 85 68 ff ff ff 56 57 ff 75 0c 50 e8 2f }
condition:
uint16(0) == 0x5a4d and
filesize < 400KB and
2 of them or 4 of them
}
rule Ransom_Sodinokibi {
meta:
description = "Detect the risk of Ransomware Sodinokibi Rule 5"
strings:
$s1 = "2!2&2>2K2R2Z2_2d2i2"
$s2 = "ERR0R D0UBLE RUN!"
$s3 = "4!5&575?5R5Z5~5"
$s4 = "344<4E4Z4f4p4x4"
$s5 = "?%?+?1?7?=?K?_?"
$s6 = "DTrump4ever"
$s7 = "3N,3NT3N|3"
$s8 = {65 78 70 61 6E 64 20 33 32 2D 62 79 74 65 20 6B 65 78 70 61 6E 64 20 31 36 2D 62 79 74 65}
$s9 = {76 00 6D 00 63 00 6F 00 6D 00 70 00 75 00 74 00 65 00 2E 00 65 00 78 00 65}
$s10 = {76 00 6D 00 6D 00 73 00 2E 00 65 00 78 00 65 00 00 00 00 00 76 00 6D 00 77 00 70 00 2E 00 65 00 78 00 65}
$op1 = {55 8B EC 83 EC 10 B9 B5 04 00 00 53 56 8B 75 08 C1 E6 10 33 75 08 81 F6 CD 8E CD 99 8B C6 C1 E8 15 57 3B C1}
$op2 = {55 8B EC 83 EC 44 56 8B 75 14 85 F6 0F 84 [4] 53 8B 5D 10 8D 4D BC 8B C3 2B C1 89 45 14}
condition:
uint16(0) == 0x5a4d and
filesize < 400KB and
2 of them or 4 of them
}
rule Ransom_Sodinokibi_2021_June {
meta:
description = "Detect the risk of Ransomware Sodinokibi Rule 6"
strings:
$s1 = "ERR0R D0UBLE RUN!" fullword ascii
$s2 = "DTrump4ever" fullword ascii
$op3 = {558BEC83EC30568D45FCBE78124100506A036A10685B12000056E8375200}
$op4 = {8B45088B4008A3D435410033C0405DC3558BEC8B45088B4008A3B4354100}
$op5 = {558BEC5153568D45FC33F650E84E4000008BD85985DB74315733FF47397D}
$op6 = {558BEC83EC0C894DF48B4DF4E80F0000008BE55DC3CCCCCCCCCCCCCCCCCC}
$op7 = {8B45FCC700707543008B4DFCE8980800008BE55DC3CCCCCCCC558BEC5189}
$op8 = {558BEC6AFF687867430064A100000000506489250000000083EC24894DD0}
$op9 = {558BEC51894DFC8B45FCC700707543008B4DFCE8980800008BE55DC3CCCC}
condition:
uint16(0) == 0x5a4d and filesize < 400KB and (2 of ($s*) or 2 of ($op*))
}
rule Ransom_Sodinokibi_Kaseya_supply_chain_attack {
meta:
description = "Detect the risk of Ransomware Sodinokibi Rule 7"
strings:
$header = {4D 5A 90 00 03 00 00 00 04 00 00 00
FF FF 00 00 B8 00 00 00 00 00 00 00
40 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
?? ?? 00 00 0E 1F BA 0E 00 B4 09 CD
21 B8 01 4C CD 21 54 68 69 73 20 70
72 6F 67 72 61 6D 20 63 61 6E 6E 6F
74 20 62 65 20 72 75 6E 20 69 6E 20
44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A
24 00 00 00 00 00 00 00}
$s1 = {64 68 4B 65 79 41 67 72 65 65 6D 65 6E 74 00 00 63 72 79 70 74 6F 70 72 6F 00 00 00 44 45 53 2D 45 43 42 00 63 72 79 70 74 6F 63 6F 6D 00 00 00 64 65 73 2D 65 63 62 00 69 64 2D 47 6F 73 74 52 33 34 31 31 2D 39 34 2D 77 69 74 68 2D 47 6F 73 74 52 33 34 31 30 2D 32 30 30 31 00 44 45 53 2D 43 46 42 00 47 4F 53 54 20 52 20 33 34 2E 31 31 2D 39 34 20 77 69 74 68 20 47 4F 53 54 20 52 20 33 34 2E 31 30 2D 32 30 30 31 00 00 64 65 73 2D 63 66 62}
$s2 = {00 43 72 79 70 74 41 63 71 75 69 72 65 43 6F 6E 74 65 78 74 57 00 00 00 00 43 72 79 70 74 47 65 6E 52 61 6E 64 6F 6D 00 00 43 72 79 70 74 52 65 6C 65 61 73 65 43 6F 6E 74 65 78 74 00}
$s3 = "MpSvc.dll" fullword ascii
$s4 = {1F 42 72 6F 75 69 6C 6C 65 74 74 65 62 75 73 69 6E 65 73 73 40 6F 75 74 6C 6F 6F 6B 2E 63 6F 6D 30}
condition:
uint16(0) == 0x5a4d and $header at 0 and 3 of ($s*)
}
rule elf_REvil {
meta:
description = "Detect the risk of Ransomware Sodinokibi Rule 8"
detail = "detect the risk of elf REvil/Sodinokibi"
hash1 = "3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d"
hash2 = "796800face046765bd79f267c56a6c93ee2800b76d7f38ad96e5acb92599fcd4"
hash3 = "d6762eff16452434ac1acc127f082906cc1ae5b0ff026d0d4fe725711db47763"
hash4 = "ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4"
strings:
$s1 = "uname -a && echo \" | \" && hostname" fullword ascii
$s2 = "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\" '{system(\"esxcli" ascii
$s3 = "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\" '{system(\"esxcli" ascii
$s4 = "!!!BY DEFAULT THIS SOFTWARE USES 50 THREADS!!!" fullword ascii
$s5 = "[%s] already encrypted" fullword ascii
$s6 = "%d:%d: Comment not allowed here" fullword ascii
$s7 = "json.txt" fullword ascii
$s8 = "Error decoding user_id %d " fullword ascii
$s9 = "Error read urandm line %d!" fullword ascii
$s10 = "%d:%d: Unexpected EOF in block comment" fullword ascii
$s11 = "%d:%d: Unexpected `%c` in comment opening sequence" fullword ascii
$s12 = "File [%s] was encrypted" fullword ascii
$s13 = "File [%s] was NOT encrypted" fullword ascii
$s14 = "rand: try to read %hu but get %lu bytes" fullword ascii
$s15 = "Using silent mode, if you on esxi - stop VMs manualy" fullword ascii
$s16 = "Encrypting [%s]" fullword ascii
$s17 = "Error decoding note_body %d " fullword ascii
$s18 = "Error decoding sub_id %d " fullword ascii
$s19 = "Error decoding master_pk %d " fullword ascii
$s20 = "Error open urandm line %d!" fullword ascii
$s21 = "%d:%d: EOF unexpected" fullword ascii
$s22 = "fatal error malloc enc" fullword ascii
$s23 = "iji iji iji iji ij|- - - - - -|ji iji ifi iji iji iji" fullword ascii
$s24 = "iji iji iji iji ij| ENCRYPTED |ji iji ifi iji iji iji" fullword ascii
$s25 = "Key inizialization error ... something wrong with config" fullword ascii
$s26 = "ss kill --type=force --world-id=\" $1)}'" fullword ascii
$s27 = "pkill -9 %s" fullword ascii
$s28 = ".note.gnu.build-id" fullword ascii
$s29 = "libpthread.so.0" fullword ascii
$s30 = "File error " fullword ascii
$s31 = "Path: %s " fullword ascii
$s32 = "pthread_timedjoin_np" fullword ascii
$s33 = "Error parse cfg" fullword ascii
$s34 = "fatal error,master_pk size is bad %lu " fullword ascii
$s35 = "[%s] is protected by os" fullword ascii
$s36 = "n failurH" fullword ascii
$s37 = ".eh_frame_hdr" fullword ascii
$s38 = "fatal error, no cfg!" fullword ascii
$s39 = "Error create note in dir %s" fullword ascii
$s40 = "Error no json file!" fullword ascii
$s41 = ".note.ABI-tag" fullword ascii
$s42 = "--silent (-s) use for not stoping VMs mode" fullword ascii
$x1 = "\",\"nname\":\"{EXT}-readme.txt\",\"rdmcnt\":" ascii
$x2 = " without --path encrypts current dir" fullword ascii
condition:
( uint16(0) == 0x457f and ( 8 of them and 1 of ($x*))
) or ( all of them )
}
rule APT_MAL_REvil_Kaseya_Jul21_1 {
meta:
description = "Detect the risk of Ransomware Sodinokibi Rule 9"
detail = "Detects malware used in the Kaseya supply chain attack"
hash1 = "1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e"
hash2 = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7"
hash3 = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f"
hash4 = "df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e"
strings:
$s1 = "Mpsvc.dll" wide fullword
$s2 = ":0:4:8:<:@:D:H:L:P:T:X:\\:`:d:h:l:p:t:x:H<L<P<\\<`<" ascii fullword
$op1 = { 40 87 01 c3 6a 08 68 f8 0e 41 00 e8 ae db ff ff be 80 25 41 00 39 35 ?? 32 41 00 }
$op2 = { 8b 40 04 2b c2 c1 f8 02 3b c8 0f 84 56 ff ff ff 68 15 50 40 00 2b c1 6a 04 }
$op3 = { 74 73 db e2 e8 ad 07 00 00 68 60 1a 40 00 e8 8f 04 00 00 e8 3a 05 00 00 50 e8 25 26 00 00 }
$op4 = { 75 05 8b 45 fc eb 4c c7 45 f8 00 00 00 00 6a 00 8d 45 f0 50 8b 4d 0c }
$op5 = { 83 7d 0c 00 75 05 8b 45 fc eb 76 6a 00 68 80 00 00 00 6a 01 6a 00 }
condition:
uint16(0) == 0x5a4d and
filesize < 3000KB and
(
pe.imphash() == "c36dcd2277c4a707a1a645d0f727542a" or
2 of them
)
}
rule APT_MAL_REvil_Kaseya_Jul21_2 {
meta:
description = "Detect the risk of Ransomware Sodinokibi Rule 10"
detail = "Detects malware used in the Kaseya supply chain attack"
hash1 = "0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402"
hash2 = "8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd"
hash3 = "cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6"
hash4 = "d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f"
hash5 = "d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20"
hash6 = "e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2"
strings:
$opa1 = { 8b 4d fc 83 c1 01 89 4d fc 81 7d f0 ff 00 00 00 77 1? ba 01 00 00 00 6b c2 00 8b 4d 08 }
$opa2 = { 89 45 f0 8b 4d fc 83 c1 01 89 4d fc 81 7d f0 ff 00 00 00 77 1? ba 01 00 00 00 6b c2 00 }
$opa3 = { 83 c1 01 89 4d fc 81 7d f0 ff 00 00 00 77 1? ba 01 00 00 00 6b c2 00 8b 4d 08 0f b6 14 01 }
$opa4 = { 89 45 f4 8b 0d ?? ?0 07 10 89 4d f8 8b 15 ?? ?1 07 10 89 55 fc ff 75 fc ff 75 f8 ff 55 f4 }
$opb1 = { 18 00 10 bd 18 00 10 bd 18 00 10 0e 19 00 10 cc cc cc }
$opb2 = { 18 00 10 0e 19 00 10 cc cc cc cc 8b 44 24 04 }
$opb3 = { 10 c4 18 00 10 bd 18 00 10 bd 18 00 10 0e 19 00 10 cc cc }
condition:
uint16(0) == 0x5a4d and
filesize < 3000KB and ( 2 of ($opa*) or 3 of them )
}
rule REvil_Decryptor {
meta:
description = "Detect the risk of Ransomware Sodinokibi Rule 11"
detail = "Detects REvil's Decryptor/Sodinokibi"
strings:
$op1 = {558BEC833D4C0F410000568B7508750A837E0801}
$op2 = {8B45088B4008A34C0F410033C0405DC3558BEC83}
$op3 = {558BEC5153568D45FC33F650E8D51700008BD859}
$op4 = {CCCCCCCCCCCCCCCCCCCCCCCC57565533FF33ED8B}
$op5 = {8D8568FFFFFF50E8CE0700008D8568FFFFFF50E8}
$x1 = {00 7B 22 61 6C 6C 22 3A 20 74 72 75 65 2C 20 22 6D 61 73 74 65 72 5F 73 6B 22 3A 20 22}
$x2 = {22 2C 20 22 65 78 74 22 3A 20 5B}
condition:
uint16(0) == 0x5a4d and 2 of ($op*) and all of ($x*)
}
rule Sodinokibi_032021 {
meta:
description = "Detect the risk of Ransomware Sodinokibi Rule 12"
detail = "Sodinokibi_032021: files - file DomainName.exe"
hash1 = "2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c"
strings:
$s1 = "vmcompute.exe" fullword wide
$s2 = "vmwp.exe" fullword wide
$s3 = "bootcfg /raw /a /safeboot:network /id 1" fullword ascii
$s4 = "bcdedit /set {current} safeboot network" fullword ascii
$s5 = "7+a@P>:N:0!F$%I-6MBEFb M" fullword ascii
$s6 = "jg:\"\\0=Z" fullword ascii
$s7 = "ERR0R D0UBLE RUN!" fullword wide
$s8 = "VVVVVPQ" fullword ascii
$s9 = "VVVVVWQ" fullword ascii
$s10 = "Running" fullword wide /* Goodware String - occured 159 times */
$s11 = "expand 32-byte kexpand 16-byte k" fullword ascii
$s12 = "9RFIT\"&" fullword ascii
$s13 = "jZXVf9F" fullword ascii
$s14 = "tCWWWhS=@" fullword ascii
$s15 = "vmms.exe" fullword wide /* Goodware String - occured 1 times */
$s16 = "JJwK9Zl" fullword ascii
$s17 = "KkT37uf4nNh2PqUDwZqxcHUMVV3yBwSHO#K" fullword ascii
$s18 = "0*090}0" fullword ascii /* Goodware String - occured 1 times */
$s19 = "5)5I5a5" fullword ascii /* Goodware String - occured 1 times */
$s20 = "7-7H7c7" fullword ascii /* Goodware String - occured 1 times */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and
( pe.imphash() == "031931d2f2d921a9d906454d42f21be0" or 8 of them )
}
rule Sodinokibi_hash
{
meta:
description ="Detect the risk of Sodinokibi Rule 13"
condition:
hash.sha256(0,filesize) =="67c4d6f5844c2549e75b876cb32df8b22d2eae5611feeb37f9a2097d67cc623e"
}

152
yaraRules/Ransom.Stop.yar Normal file
View File

@@ -0,0 +1,152 @@
rule win_stop_auto {
meta:
description= "Detect the risk of Ransomware STOP Rule 1"
strings:
$sequence_0 = { 6a12 ff33 ff15???????? 8b35???????? 8b3d???????? }
// n = 5, score = 400
// 6a12 | push 0x12
// ff33 | push dword ptr [ebx]
// ff15???????? |
// 8b35???????? |
// 8b3d???????? |
$sequence_1 = { 8d45e0 50 ffd6 85c0 75e2 6a64 ff15???????? }
// n = 7, score = 400
// 8d45e0 | lea eax, [ebp - 0x20]
// 50 | push eax
// ffd6 | call esi
// 85c0 | test eax, eax
// 75e2 | jne 0xffffffe4
// 6a64 | push 0x64
// ff15???????? |
$sequence_2 = { 6a00 6a12 ff33 ff15???????? 8b35???????? 8b3d???????? }
// n = 6, score = 400
// 6a00 | push 0
// 6a12 | push 0x12
// ff33 | push dword ptr [ebx]
// ff15???????? |
// 8b35???????? |
// 8b3d???????? |
$sequence_3 = { 83c102 eb84 6a0c 68???????? e8???????? 8b7d08 }
// n = 6, score = 400
// 83c102 | add ecx, 2
// eb84 | jmp 0xffffff86
// 6a0c | push 0xc
// 68???????? |
// e8???????? |
// 8b7d08 | mov edi, dword ptr [ebp + 8]
$sequence_4 = { e8???????? 83c404 8b4b04 b8abaaaa2a 2b0b }
// n = 5, score = 400
// e8???????? |
// 83c404 | add esp, 4
// 8b4b04 | mov ecx, dword ptr [ebx + 4]
// b8abaaaa2a | mov eax, 0x2aaaaaab
// 2b0b | sub ecx, dword ptr [ebx]
$sequence_5 = { ffd6 85c0 75e8 6a0a ff7304 ff15???????? 3d02010000 }
// n = 7, score = 400
// ffd6 | call esi
// 85c0 | test eax, eax
// 75e8 | jne 0xffffffea
// 6a0a | push 0xa
// ff7304 | push dword ptr [ebx + 4]
// ff15???????? |
// 3d02010000 | cmp eax, 0x102
$sequence_6 = { e8???????? 83c404 33c0 c7463c07000000 c7463800000000 }
// n = 5, score = 400
// e8???????? |
// 83c404 | add esp, 4
// 33c0 | xor eax, eax
// c7463c07000000 | mov dword ptr [esi + 0x3c], 7
// c7463800000000 | mov dword ptr [esi + 0x38], 0
$sequence_7 = { 56 6a00 ff7508 68???????? 6a00 6a00 ff15???????? }
// n = 7, score = 400
// 56 | push esi
// 6a00 | push 0
// ff7508 | push dword ptr [ebp + 8]
// 68???????? |
// 6a00 | push 0
// 6a00 | push 0
// ff15???????? |
$sequence_8 = { 51 51 dd1c24 e8???????? dc4de0 }
// n = 5, score = 400
// 51 | push ecx
// 51 | push ecx
// dd1c24 | fstp qword ptr [esp]
// e8???????? |
// dc4de0 | fmul qword ptr [ebp - 0x20]
$sequence_9 = { ff7508 ffd0 5d c3 8b0d???????? 33d2 85c9 }
// n = 7, score = 400
// ff7508 | push dword ptr [ebp + 8]
// ffd0 | call eax
// 5d | pop ebp
// c3 | ret
// 8b0d???????? |
// 33d2 | xor edx, edx
// 85c9 | test ecx, ecx
condition:
7 of them and filesize < 6029312
}
rule MALWARE_Win_STOP {
meta:
description= "Detect the risk of Ransomware STOP Rule 2"
strings:
$x1 = "C:\\SystemID\\PersonalID.txt" fullword wide
$x2 = "/deny *S-1-1-0:(OI)(CI)(DE,DC)" wide
$x3 = "e:\\doc\\my work (c++)\\_git\\encryption\\" ascii wide nocase
$s1 = "\" --AutoStart" fullword ascii wide
$s2 = "--ForNetRes" fullword wide
$s3 = "--Admin" fullword wide
$s4 = "%username%" fullword wide
$s5 = "?pid=" fullword wide
$s6 = /&first=(true|false)/ fullword wide
$s7 = "delself.bat" ascii
$mutex1 = "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}" fullword ascii
$mutex2 = "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}" fullword ascii
$mutex3 = "{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}" fullword ascii
condition:
uint16(0) == 0x5a4d and ((2 of ($x*) and 1 of ($mutex*)) or (all of ($x*)) or (6 of ($s*) and (1 of ($x*) or 1 of ($mutex*))) or (9 of them))
}
rule Ransom_Stop {
meta:
description= "Detect the risk of Ransomware STOP Rule 3"
strings:
$s1 = "Zopeheci nol wubipanur vatesADiwidadepuzixem"
$s2 = "%Tacexozemiyusij juxoyoyos jiwicefojulIHebecawadoxa"
$s3 = "QWamem mutumog wenaze tayifetebuz yorelij ripif lezivemizan"
$s4 = "vunafula.exe"
$s5 = "zatir.exe"
$s6 = "E:\\Doc\\My work (C++)\\_Git\\Encryption\\Release\\encrypt_win_api.pdb"
$s7 = "SuspendYourMind" fullword ascii
$s8 = "mowapevuvahoyobajimuluzo jojof xuvuxoyipunolakokedub hohivuligesohowu ferasorafawumahuzodisuley" fullword ascii
$s9 = "fezekopupikayecicizojisowa zihebagaponaxo" fullword ascii
$s10 = "bevopanorehikay" fullword ascii
$s11 = "labedubacosexuc" fullword ascii
$s12 = "Leyifuyitefam jagucubolim9Cixuco"
$s13 = "Zab xeyilipawemeliyovadusekelu bevusibivi" fullword ascii
condition:
any of them
}
rule Ransom_Stop_2 {
meta:
description= "Detect the risk of Ransomware STOP Rule 4"
strings:
$op1 = {003145F833C5508D45F064A300000000837D08007505E9980000006A04E8????000083C404C745FC000000008B450883E8208945E48B4DE48B511481E2FFFF}
$op2 = {000083C404C38B4DF064890D00000000595F5E5B8BE55DC3CCCCCCCCCCCCCC}
$s1 = {0000000000420075007300750068006F0070006500640000004C006F00760061006A00200062006900760065007800610070006F006A00650068000000}
condition:
uint16(0) == 0x5a4d and all of them
}

22
yaraRules/Ransom.Termite.yar Normal file
View File

@@ -0,0 +1,22 @@
rule Ransom_Termite {
meta:
description= "Detect the risk of Ransomware Termite Rule 1"
hash1 = "e6c015b5dc3312e08fb242b7979b59818ff1d3bef65afee4852534ed1edba5cd"
hash2 = "14acfbc63214e30d80258e7a32a0e366b0029d2119efa5b9c7126195124b71ae"
hash3 = "ac5d4062cc3514901312d7cc2691d71ec56ba71b55f02c3f1f9aebe94cb2fbea"
strings:
$s1 = "Payment.exe" fullword ascii
$s2 = "Termite.exe" fullword ascii
$s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Termite.exe" fullword ascii
$s4 = "C:\\Windows\\Termite.exe" fullword ascii
$s5 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Payment.exe" fullword ascii
$s6 = "\\Shell\\Open\\Command\\" fullword ascii
$s7 = "\\Payment.exe" fullword ascii
$s8 = "\\Termite.exe" fullword ascii
$s9 = "Software\\Microsoft\\PassWord" fullword ascii
$s10 = "takeown /f \"**\"" fullword ascii
$s11 = "\\TemporaryFile" fullword ascii
$s12 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\" fullword ascii
condition:
uint16(0) == 0x5a4d and 8 of them
}

136
yaraRules/Ransom.TeslaCrypt.yar Normal file
View File

@@ -0,0 +1,136 @@
rule Ransom_TeslaCrypt {
meta:
description= "Detect the risk of Ransomware TeslaCrypt Rule 1"
hash1 = "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"
strings:
$x1 = "%s\\system32\\cmd.exe" fullword wide
$s2 = "mshta.exe \"http://50.7.138.132/?Subject=ping&addr=%s&&version=%s&date=%lld&OS=%ld&ID=%d&subid=%d\"" fullword ascii
$s3 = " !!!-key = %s -!!!" fullword ascii
$s4 = " /c start \"\" \"%s\"" fullword wide
$s5 = "1. Download Tor Browser from http://torproject.org" fullword ascii
$s6 = "7tno4hib47vlep5o.tor2web.org" fullword ascii
$s7 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" fullword ascii
$s8 = "with strongest encryption and unique key, generated for this computer." fullword ascii
$s9 = "https://7tno4hib47vlep5o.tor2web.org" fullword wide
$s10 = "in immediate elimination of the private key by the server." fullword wide
$s11 = "if https://34r6hq26q2h4jkzj.tor2web.org is not opening, please follow the steps: " fullword wide
$s12 = "Encryption was produced using a unique public key RSA-2048 generated " fullword wide
$s13 = "https://34r6hq26q2h4jkzj.tor2web.org" fullword wide
$s14 = "!!!Decrypt your files!!!" fullword wide
$s15 = "Enter Decrypt key" fullword wide
$s16 = "Enter Decrypt Key" fullword wide
$s17 = "Your personal files are encrypted!" fullword wide
$s18 = "\\HELP_TO_DECRYPT_YOUR_FILES.txt" fullword wide
$s19 = "Subject=Ping&key=%s&addr=%s&files=%d&size=%d&version=%s&date=%lld&OS=%ld&ID=%d&subid=%d&gate=G%d" fullword ascii
$s20 = "Subject=Payment&recovery_key=%s&addr=%s&files=%d&size=%d&version=%s&date=%lld&OS=%ld&ID=%d&subid=%d" fullword ascii
$s21 = "Subject=Crypted&key=%s&addr=%s&files=%lld&size=%lld&version=%s&date=%lld&OS=%ld&ID=%d&subid=%d&gate=G%d" fullword ascii
$s22 = "vssadmin delete shadows /all" fullword ascii
$s23 = "procexp" fullword wide
$s24 = "Your payment is not received !!!" fullword wide
$s25 = "7tno4hib47vlep5o.tor2web.fi" fullword ascii
$s26 = "Your documents, photos, databases and other important files have been encrypted" fullword ascii
$s27 = "7tno4hib47vlep5o.tor2web.blutmagie.de" fullword ascii
$s28 = "decrypt your files until you pay and obtain the private key." fullword ascii
$s29 = "CBigNum::operator= : BN_copy failed" fullword ascii
$s30 = "https://7tno4hib47vlep5o.tor2web.fi" fullword wide
$s31 = "https://7tno4hib47vlep5o.tor2web.blutmagie.de" fullword wide
$s32 = "ComSpec" fullword wide
$s33 = "https://34r6hq26q2h4jkzj.tor2web.fi" fullword wide
$s34 = "The only copy of the private key, which will allow you to decrypt your files, " fullword wide
$s35 = "Click \"Show encrypted files\" Button to view a complete list of encrypted files," fullword wide
$s36 = "\\CryptoLocker.lnk" fullword wide
$s37 = "\\key.dat" fullword wide
$s38 = "Open http://34r6hq26q2h4jkzj.tor2web.fi or http://34r6hq26q2h4jkzj.onion.cab" fullword ascii
$s39 = "Now you have the last chance to decrypt your files." fullword ascii
$s40 = "msconfig" fullword wide
$s41 = "Any attempt to remove or corrupt this software will result " fullword wide
$s42 = "All files Decrypted" fullword wide
$s43 = "in your browser. They are public gates to the secret server." fullword ascii
$s44 = "https://blockchain.info/address/%s" fullword ascii
$s45 = " Type Descriptor'" fullword ascii
$s46 = "After instalation,run the browser and enter address " fullword wide
$s47 = "www.torproject.org/projects/torbrowser.html.en" fullword wide
$s48 = "private key." fullword wide
$s49 = "Your private key will be " fullword wide
$s50 = "https://www.torproject.org/projects/torbrowser.html.en" fullword wide
$s51 = "\\HELP_TO_DECRYPT_YOUR_FILES.bmp" fullword wide
$s52 = "3|$(3\\$ " fullword ascii /* hex encoded string '3' */
$s53 = "---!!!Done!!!---" fullword ascii
$s54 = " constructor or from DllMain." fullword ascii
$s55 = "Enter Decryption key here" fullword wide
$s56 = "Decryption key:" fullword wide
$s57 = "Show encrypted files" fullword wide
$s58 = "You must install this browser" fullword wide
$s59 = "for this computer. To decrypt files you need to obtain the " fullword wide
$s60 = "Your files have been safely encrypted on this PC: photos,videos, documents,etc. " fullword wide
$s61 = "Please wait !!! " fullword wide
$s62 = "Private decryption key is stored on a secret Internet server and nobody can" fullword ascii
$s63 = "System1230123" fullword wide
$s64 = "Copy and paste the following Bitcoin address in the input form on server. Avoid missprints." fullword ascii
$s65 = ".?AVbignum_error@@" fullword ascii
$s66 = "EncodeBase58 : BN_div failed" fullword ascii
$s67 = "/api/v0/addresses/%s" fullword ascii
$s68 = "CBigNum conversion from unsigned long : BN_set_word failed" fullword ascii
$s69 = "bitcoin.toshi.io" fullword ascii
$s70 = "2. In the Tor Browser open the http://34r6hq26q2h4jkzj.onion/ " fullword ascii
$s71 = "/state.php?%s" fullword ascii
$s72 = "If you have problems with gates, use direct connection:" fullword ascii
$s73 = "file crypted %s <br>" fullword wide
$s74 = "Check Key" fullword wide
$s75 = "Click to copy Bitcoin address to clipboard" fullword wide
$s76 = "34r6hq26q2h4jkzj.onion " fullword wide
$s77 = "\\log.html" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 900KB and
5 of them
}
rule Win_Ransomware_Teslacrypt_21
{
meta:
description= "Detect the risk of Ransomware TeslaCrypt Rule 2"
strings:
$a0 = { 4f6e6520646179206166746572[0-20]474f5020686f706566756c20616674657220527562696f2064726f7073 }
condition:
all of them
}
rule Ransom_TeslaCrypt_2 {
meta:
description= "Detect the risk of Ransomware TeslaCrypt Rule 3"
hash1 = "9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122"
hash2 = "afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18"
strings:
$s1 = " VirtualQuery failed for %d bytes at address %p" fullword ascii
$s2 = "SCwF- N" fullword ascii
$s3 = "3!!!U[[[" fullword ascii
$s4 = " Unknown pseudo relocation protocol version %d." fullword ascii
$s5 = "k3lYXY- " fullword ascii
$s6 = "4#Z)* G" fullword ascii
$s7 = "PAuA, K" fullword ascii
$s8 = "ccJYo7V!" fullword ascii
$s9 = "ZnXA85np" fullword ascii
$s10 = "<\\t5</t1" fullword ascii
$s11 = "mjvL<q&" fullword ascii
$s12 = "jrotM=?f)" fullword ascii
$s13 = "XVvbHC%" fullword ascii
$s14 = "<EEFywww" fullword ascii
$s15 = "Yywt)hK" fullword ascii
$s16 = "UDzE/\"Q" fullword ascii
$s17 = "mQaDQ5d]" fullword ascii
$s18 = "OfSection" fullword wide
$s19 = "ZwUnmapView" fullword wide
$s20 = " Unknown pseudo relocation bit size %d." fullword ascii
$s21 = "11\\`@k#" fullword ascii
$s22 = "V6Z<-1" fullword ascii
$s23 = "Xb8em;" fullword ascii
$s24 = "s l|k?" fullword ascii
$s25 = "UVcSp$" fullword ascii
$s26 = "6Y#^\":" fullword ascii
$s27 = "2#Au$DRJ" fullword ascii
$s28 = "QRPhd6D" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 800KB and ( 15 of them )
) or ( all of them )
}

138
yaraRules/Ransom.Thanos.yar Normal file
View File

@@ -0,0 +1,138 @@
rule Ransom_Thanos {
meta:
description= "Detect the risk of Ransomware Thanos Rule 1"
hash1 = "4852f22df095db43f2a92e99384ff7667020413e74f67fcbd42fca16f8f96f4c"
hash2 = "714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409"
strings:
$a1 = "Huahitec.exe" fullword wide
$a2 = "Selected compression algorithm is not supported." fullword wide
$a3 = "<Encrypt2>b__3f" fullword ascii
$b1 = "F935DC23-1CF0-11D0-ADB9-00C04FD58A0B" nocase ascii wide
$b2 = "SimpleZip" fullword ascii
$b3 = "CryptoStream" fullword ascii
$s1 = "GetAesTransform" fullword ascii
$s2 = "GetFromResource" fullword ascii
$s3 = "CreateGetStringDelegate" fullword ascii
$s4 = "<Encrypt2>b__40" fullword ascii
$s5 = "Unknown Header" fullword wide
$s6 = "SmartAssembly.Attributes" fullword ascii
$s7 = "CompressionAlgorithm" fullword ascii
$s8 = "hashtableLock" fullword ascii
$s9 = "DoNotPruneAttribute" fullword ascii
$s10 = "MemberRefsProxy" fullword ascii
$s11 = "DoNotPruneTypeAttribute" fullword ascii
$s12 = "SmartAssembly.Zip" fullword ascii
$s13 = "Huahitec" fullword ascii
$s14 = "GetCachedOrResource" fullword ascii
$s15 = "<Killproc>b__5" fullword ascii
$s16 = "<Killproc>b__4" fullword ascii
$s17 = "PathLink" fullword ascii
$x1 = "RijndaelManaged" fullword ascii
$x2 = "Microsoft.VisualBasic" ascii
condition:
uint16(0) == 0x5a4d and 2 of ($a*) and 2 of ($b*) and 6 of ($s*) and all of ($x*)
}
rule win_hakbit_auto {
meta:
description= "Detect the risk of Ransomware Thanos Rule 2"
strings:
$sequence_0 = { 40 c1e004 8b4dfc 8d740104 8b45e4 c1e004 8b4dfc }
// n = 7, score = 300
// 40 | inc eax
// c1e004 | shl eax, 4
// 8b4dfc | mov ecx, dword ptr [ebp - 4]
// 8d740104 | lea esi, [ecx + eax + 4]
// 8b45e4 | mov eax, dword ptr [ebp - 0x1c]
// c1e004 | shl eax, 4
// 8b4dfc | mov ecx, dword ptr [ebp - 4]
$sequence_1 = { 8bec 51 51 c745f8010000c0 e8???????? 58 }
// n = 6, score = 300
// 8bec | mov ebp, esp
// 51 | push ecx
// 51 | push ecx
// c745f8010000c0 | mov dword ptr [ebp - 8], 0xc0000001
// e8???????? |
// 58 | pop eax
$sequence_2 = { 40 8945f4 837df403 7377 8b45f4 8b4dfc }
// n = 6, score = 300
// 40 | inc eax
// 8945f4 | mov dword ptr [ebp - 0xc], eax
// 837df403 | cmp dword ptr [ebp - 0xc], 3
// 7377 | jae 0x79
// 8b45f4 | mov eax, dword ptr [ebp - 0xc]
// 8b4dfc | mov ecx, dword ptr [ebp - 4]
$sequence_3 = { ff7508 8b45fc 83c018 ffd0 8945f8 837df800 0f8ca8000000 }
// n = 7, score = 300
// ff7508 | push dword ptr [ebp + 8]
// 8b45fc | mov eax, dword ptr [ebp - 4]
// 83c018 | add eax, 0x18
// ffd0 | call eax
// 8945f8 | mov dword ptr [ebp - 8], eax
// 837df800 | cmp dword ptr [ebp - 8], 0
// 0f8ca8000000 | jl 0xae
$sequence_4 = { 8b4dfc 8b44810c 2b450c 8945f0 8365ec00 eb07 8b45ec }
// n = 7, score = 300
// 8b4dfc | mov ecx, dword ptr [ebp - 4]
// 8b44810c | mov eax, dword ptr [ecx + eax*4 + 0xc]
// 2b450c | sub eax, dword ptr [ebp + 0xc]
// 8945f0 | mov dword ptr [ebp - 0x10], eax
// 8365ec00 | and dword ptr [ebp - 0x14], 0
// eb07 | jmp 9
// 8b45ec | mov eax, dword ptr [ebp - 0x14]
$sequence_5 = { 88040a ebd2 e9???????? 8b45f8 5e c9 c21400 }
// n = 7, score = 300
// 88040a | mov byte ptr [edx + ecx], al
// ebd2 | jmp 0xffffffd4
// e9???????? |
// 8b45f8 | mov eax, dword ptr [ebp - 8]
// 5e | pop esi
// c9 | leave
// c21400 | ret 0x14
$sequence_6 = { 8364010c00 8b45e8 c1e004 8b4dfc c644010800 8b45e8 c1e004 }
// n = 7, score = 300
// 8364010c00 | and dword ptr [ecx + eax + 0xc], 0
// 8b45e8 | mov eax, dword ptr [ebp - 0x18]
// c1e004 | shl eax, 4
// 8b4dfc | mov ecx, dword ptr [ebp - 4]
// c644010800 | mov byte ptr [ecx + eax + 8], 0
// 8b45e8 | mov eax, dword ptr [ebp - 0x18]
// c1e004 | shl eax, 4
$sequence_7 = { 51 c745f8010000c0 e8???????? 58 2500f0ffff 8945fc 837d1400 }
// n = 7, score = 300
// 51 | push ecx
// c745f8010000c0 | mov dword ptr [ebp - 8], 0xc0000001
// e8???????? |
// 58 | pop eax
// 2500f0ffff | and eax, 0xfffff000
// 8945fc | mov dword ptr [ebp - 4], eax
// 837d1400 | cmp dword ptr [ebp + 0x14], 0
$sequence_8 = { 33c9 8b55fc 66894c020a 8b45e8 c1e004 8b4dfc 8364010c00 }
// n = 7, score = 300
// 33c9 | xor ecx, ecx
// 8b55fc | mov edx, dword ptr [ebp - 4]
// 66894c020a | mov word ptr [edx + eax + 0xa], cx
// 8b45e8 | mov eax, dword ptr [ebp - 0x18]
// c1e004 | shl eax, 4
// 8b4dfc | mov ecx, dword ptr [ebp - 4]
// 8364010c00 | and dword ptr [ecx + eax + 0xc], 0
$sequence_9 = { 0f8ca8000000 ff7508 8b45fc ff10 }
// n = 4, score = 300
// 0f8ca8000000 | jl 0xae
// ff7508 | push dword ptr [ebp + 8]
// 8b45fc | mov eax, dword ptr [ebp - 4]
// ff10 | call dword ptr [eax]
condition:
7 of them and filesize < 656384
}

71
yaraRules/Ransom.Tohnichi.yar Normal file
View File

@@ -0,0 +1,71 @@
rule Ransom_Tohnichi {
meta:
description= "Detect the risk of Ransomware Tohnichi Rule 1"
hash1 = "863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1"
hash2 = "4d9a662a5d4d97a2c06b74552634c570b16e56c5c456c77ed1d640c23c70b600"
strings:
$x1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\vssadmin.exe" fullword wide
$x2 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskkill.exe" fullword wide
$x3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\powershell.exe" fullword wide
$x4 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\wmic.exe" fullword wide
$x5 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\wbadmin.exe" fullword wide
$x6 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\bcdedit.exe" fullword wide
$x7 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\diskshadow.exe" fullword wide
$x8 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\net.exe" fullword wide
$s9 = "\\sysnative\\cmd.exe" fullword wide
$s10 = "fdhost.exe" fullword wide
$s11 = "ReportingServecesService.exe" fullword wide
$s12 = "A: * Download Tor Browser - https://www.torproject.org/" fullword ascii
$s13 = "mysql.exe" fullword wide
$s14 = "sqlwriter.exe" fullword wide
$s15 = "ntdbsmgr.exe" fullword wide
$s16 = "oracle.exe" fullword wide
$s17 = "sqlserv.exe" fullword wide
$s18 = "\\sysnative\\vssadmin.exe" fullword wide
$s19 = "C:\\HOW TO RECOVER !!.TXT" fullword wide
$s20 = "debugLog.txt" fullword wide
$s21 = "/c ping 127.0.0.1 && del \"%s\" >> NUL" fullword wide
$s22 = "bootfont.bin" fullword wide
$s23 = "perflogs" fullword wide
$s24 = "How to decrypt files.txt" fullword wide
$s25 = "/c bcdedit /set {current} bootstatuspolicy ignoreallfailures" fullword wide
$s26 = "Info added: %s%s" fullword wide
$s27 = "SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\Raccine" fullword wide
$s28 = " Type Descriptor'" fullword ascii
$s29 = "bootsect.bak" fullword wide
$s30 = "windows.old" fullword wide
$s31 = "Invalid Handle (error: %d) for: %s" fullword wide
$s32 = "IOCP Worker: Exit, overlap was NULL and completionKey == IOCP_STOP" fullword wide
$s33 = "FirstFirstFileExW (error: %d) failed for %s" fullword wide
$s34 = " constructor or from DllMain." fullword ascii
$s35 = "All files on TOHNICHI network have been encrypted due to insufficient security." fullword ascii
$s36 = "Encrypted:" fullword ascii
$s37 = "WindowsPowerShell" fullword wide
$s38 = "Starting file encryption: %s" fullword wide
$s39 = "127.0.0.1/a.php" fullword wide
$s40 = "%lld (%d%%)" fullword ascii
$s41 = "programdata" fullword wide
$s42 = "/c bcdedit /set {current} recoveryenabled no" fullword wide
$s43 = " delete shadows /all /quiet" fullword wide
$s44 = "Your personal identifier: {id}" fullword ascii
$s45 = "id=%s&pcname=%s&dcname=%S" fullword ascii
$s46 = "id=%s&disksinfo=%s" fullword ascii
$s47 = "Windows Portable Devices" fullword wide
$s48 = "Microsoft Analysis Services" fullword wide
$s49 = "Core Runtime" fullword wide
$s50 = "Microsoft ASP.NET" fullword wide
$s51 = "Windows Microsoft.NET" fullword wide
$s52 = "NTFS: failed to open %c drive" fullword wide
$s53 = "NTFS: Failed to query USN journal (%c)" fullword wide
$s54 = "%d (%d cores) IOCP workers started." fullword wide
$s55 = "All files done. Only shares left." fullword wide
$s56 = " * Open link in Tor Browser http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact" fullword ascii
$s57 = " Base Class Descriptor at (" fullword ascii
$s58 = " Class Hierarchy Descriptor'" fullword ascii
$s59 = "tor browser" fullword wide
$s60 = " Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam." fullword ascii
$s61 = " Complete Object Locator'" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and ( 1 of ($x*) and 4 of them )
) or ( 10 of them )
}

20
yaraRules/Ransom.TrumpLocker.yar Normal file
View File

@@ -0,0 +1,20 @@
rule Ransomware_TrumpLocker {
meta:
description= "Detect the risk of Ransomware TrumpLocker Rule 1"
strings:
$s1 = {54 00 68 00 65 00 54 00 72 00 75 00 6D 00 70 00 4C 00 6F 00 63 00 6B 00 65 00 72 00 2E 00 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 73}
$s2 = {6F 00 70 00 00 00 2E 00 75 00 73 00 61 00 00 00 2E 00 75 00 73 00 78 00 00 00 2E 00 75 00 74 00 32 00 00 00 2E 00 75 00 74 00 33 00 00 00 2E 00 75 00 74 00 63 00 00 00 2E 00 75 00 74 00 78 00 00 00 2E 00 75 00 76 00 78 00 00 00 2E 00 75 00 78 00 78 00 00 00 2E 00 76 00 6D 00 66}
$s3 = {23 00 00 00 5C 00 57 00 68 00 61 00 74 00 20 00 68 00 61 00 70 00 70 00 65 00 6E 00 20 00 74 00 6F 00 20 00 6D 00 79 00 20 00 66 00 69 00 6C 00 65 00 73 00 2E 00 74 00 78 00 74 00 00 00 5C 00}
$s4 = {52 00 61 00 6E 00 73 00 6F 00 6D 00 4E 00 6F 00 74 00 65 00 2E 00 65 00 78 00 65 00 00 00 5C 00}
$s5 = {20 E7 01 00 00 72 D9 06 00 70 A2 06 20 E8 01 00 00 72 41 18 00 70 A2 06 20 E9 01 00 00 72 4B 18 00 70 A2 06 20 EA 01 00 00 72 57 18 00 70 A2 06}
$s6 = {20 EB 01 00 00 72 61 18 00 70 A2 06 20 EC 01 00 00 72 6D 18 00 70 A2 06 20 ED 01 00 00 72 79 18 00 70 A2 06 20 EE 01 00 00 72 83 18 00 70 A2 06}
$s7 = {0A 0A 06 72 E9 19 00 70 09 28 3A 00 00 0A 6F 43}
$s8 = {72 13 1B 00 70 28 40 00 00 0A 72 27 1B 00 70 28 41 00 00 0A}
$s9 = {6D 00 70 00 00 00 33 00 36 00 30 00 00 00 41 00}
$s10 = {72 00 00 00 4B 00 61 00 73 00 70 00 65 00 72 00 73 00 6B 00 79 00 20 00 4C 00 61 00 62 00 00 00}
$s11 = {6C 00 61 00 6D 00 00 00 2E 00 78 00 6C 00 6C 00}
$s12 = {14 0B 1E 8D 3E 00 00 01 13 07 11 07 16 17 9C 11 07 17 18 9C 11 07 18 19 9C 11 07 19 1A 9C 11 07 1A 1B 9C 11 07 1B 1C 9C 11 07 1C 1D 9C 11 07 1D}
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and
any of them
}

22
yaraRules/Ransom.Venus.yar Normal file
View File

@@ -0,0 +1,22 @@
rule Ransom_Venus {
meta:
description= "Detect the risk of Ransomware Venus Rule 1"
hash1 = "49fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71"
strings:
$s1 = "C:\\Windows\\System32\\cmd.exe" fullword ascii
$s2 = "/c ping localhost -n 3 > nul & del %s" fullword ascii
$s3 = " To take info, write ro email getdecrypt@disroot.org or and put this key:" fullword ascii
$s4 = "mainProductV2.0.exe" fullword ascii
$s5 = " write ro email getdecrypt@disroot.org or " fullword wide
$s6 = "README.txt" fullword wide
$s7 = "getdecrypt@disroot.org" fullword wide
$s8 = "franavru.xyz" fullword ascii
$s9 = "All your files has been encrypted " fullword ascii
$s10 = " All your files has been encrypted " fullword wide
$s11 = "dumbdumb" fullword ascii
$s12 = "sysrandom" fullword ascii
$s13 = "%s%x%x%x%x.goodgame" fullword wide
condition:
uint16(0) == 0x5a4d and
5 of them
}

20
yaraRules/Ransom.VoidCrypt.yar Normal file
View File

@@ -0,0 +1,20 @@
rule Ransom_VoidCrypt {
meta:
description= "Detect the risk of Ransomware VoidCrypt Rule 1"
strings:
$a_op1 = {55 8B EC 6A FF 68 08 49 4F 00 64 A1 00 00 00 00 50 81 EC F8 01 00 00 A1 8C 51 53 00 33 C5 89 45 F0 53 56 57 50 8D 45 F4 64 A3 00 00 00 00 8B F1 89 B5 08 FE FF FF C7 45 FC 00 00 00 00 89 B5 FC}
$a_op2 = {55 8D 6C 24 8C 83 EC 74 6A FF 68 D9 9B 4F 00 64 A1 00 00 00 00}
$a_s1 = "C:\\ProgramData\\IDk.txt" fullword ascii
$a_s2 = "C:\\ProgramData\\pkey.txt" fullword ascii
$a_s3 = "Decrypt-info.txt" fullword
$a_s4 = "C:\\Users\\LEGION\\Desktop\\New folder\\sse_simd.cpp" fullword ascii
$a_s5 = "D:\\yo\\chaos\\Release\\chaos.pdb" fullword ascii
$a_s6 = "C:\\ProgramData\\IDo.txt" fullword ascii
$a_s7 = "C:\\Users\\LEGION\\Desktop\\New folder\\rijndael_simd.cpp" fullword ascii
$b_s1 = "sqlserver.exe" fullword ascii
$b_s2 = "mysqld-opt.exe" fullword ascii
$b_s3 = "threaad" fullword ascii
$b_s4 = "DecodingLookupArray" fullword ascii
condition:
uint16(0) == 0x5a4d and (any of ($a*) or 3 of ($b*))
}

13
yaraRules/Ransom.WannaDie.yar Normal file
View File

@@ -0,0 +1,13 @@
rule Ransom_WannaDie
{
meta:
description = "Detect the risk of Ransom.WannaDie Rule 1"
hash1 = "295f01c0f93400b0bea4823457a1ca09329770c6e2fa2de44972940aba16f0b2"
hash2 = "b0c40513ae3c7f9cb72ab2a5084f0ba479ec50b4a502e210903b14169d9426c6"
strings:
$s1 = "C:\\Users\\kashe\\source\\repos\\Microsoft System\\Microsoft System\\obj\\Debug\\Microsoft System.pdb" fullword ascii
$s2 = " and your WannaDie-ID and then our service team will send you" ascii
$s3 = "C:\\Users\\baddo\\Desktop\\CryptoWall\\CryptoWall\\obj\\Release\\wndi.pdb" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and any of them
}

22
yaraRules/Ransom.WannaRen.yar Normal file
View File

@@ -0,0 +1,22 @@
rule wannaren_ransomware
{
meta:
description = "Detect the risk of Ransomware WannaRen Rule 1"
malware_family = "Ransom:W32/WannaRen"
hash = "7b364f1c854e6891c8d09766bcc9a49420e0b5b4084d74aa331ae94e2cfb7e1d"
strings:
$sq0 = { 92 93 a91c2ea521 59 334826 }
$sq1 = { d0ce 6641 c1e9c0 41 80f652 49 c1f94d }
$sq2 = { 80f8b5 4d 63c9 f9 4d 03d9 41 }
$sq3 = { 34b7 d2ea 660fbafa56 0f99c2 32d8 660fbafaed 99 }
$sq4 = { f9 f7c70012355f 35c01f5226 f9 8d8056c800b0 f6c4b2 f9 }
$sq5 = { f5 f9 44 3aeb 45 33cd 41 }
$sq6 = { 890f c0ff12 44 b4a3 ee 2b4e70 7361 }
$sq7 = { 81c502000000 6689542500 6681d97a1e 660fabe1 660fbae1a5 8b0f 8dbf04000000 }
$sq8 = { 8d13 de11 d7 677846 f1 0d8cd45f87 bb34b98f33 }
$sq9 = { 1440 4b 41 e8???????? 397c0847 }
condition:
uint16(0) == 0x5a4d and
filesize < 21000KB and
7 of them
}

313
yaraRules/Ransom.Wannacrypt.yar Normal file
View File

@@ -0,0 +1,313 @@
import "pe"
rule MS17_010_WanaCry_worm {
meta:
description = "Detect the risk of Ransomware WannaCry Rule 1"
detail = "Worm exploiting MS17-010 and dropping WannaCry Ransomware"
strings:
$ms17010_str1="PC NETWORK PROGRAM 1.0"
$ms17010_str2="LANMAN1.0"
$ms17010_str3="Windows for Workgroups 3.1a"
$ms17010_str4="__TREEID__PLACEHOLDER__"
$ms17010_str5="__USERID__PLACEHOLDER__"
$wannacry_payload_substr1 = "h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j"
$wannacry_payload_substr2 = "h54WfF9cGigWFEx92bzmOd0UOaZlM"
$wannacry_payload_substr3 = "tpGFEoLOU6+5I78Toh/nHs/RAP"
condition:
all of them
}
rule WannaDecryptor: WannaDecryptor
{
meta:
description = "Detect the risk of Ransomware WannaCry Rule 2"
detail = "Detection for common strings of WannaDecryptor"
strings:
$id1 = "taskdl.exe"
$id2 = "taskse.exe"
$id3 = "r.wnry"
$id4 = "s.wnry"
$id5 = "t.wnry"
$id6 = "u.wnry"
$id7 = "msg/m_"
condition:
3 of them
}
rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549
{
meta:
description = "Detect the risk of Ransomware WannaCry Rule 3"
detail = "Specific sample match for WannaCryptor"
MD5 = "84c82835a5d21bbcf75a61706d8ab549"
SHA1 = "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
SHA256 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
INFO = "Looks for 'taskdl' and 'taskse' at known offsets"
strings:
$taskdl = { 00 74 61 73 6b 64 6c }
$taskse = { 00 74 61 73 6b 73 65 }
condition:
$taskdl at 3419456 and $taskse at 3422953
}
rule Wanna_Sample_4da1f312a214c07143abeeafb695d904: Wanna_Sample_4da1f312a214c07143abeeafb695d904
{
meta:
description = "Detect the risk of Ransomware WannaCry Rule 4"
detail = "Specific sample match for WannaCryptor"
MD5 = "4da1f312a214c07143abeeafb695d904"
SHA1 = "b629f072c9241fd2451f1cbca2290197e72a8f5e"
SHA256 = "aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c"
INFO = "Looks for offsets of r.wry and s.wry instances"
strings:
$rwnry = { 72 2e 77 72 79 }
$swnry = { 73 2e 77 72 79 }
condition:
$rwnry at 88195 and $swnry at 88656 and $rwnry at 4495639
}
rule NHS_Strain_Wanna: NHS_Strain_Wanna
{
meta:
description = "Detect the risk of Ransomware WannaCry Rule 5"
detail = "Detection for worm-strain bundle of Wcry, DOublePulsar"
MD5 = "db349b97c37d22f5ea1d1841e3c89eb4"
SHA1 = "e889544aff85ffaf8b0d0da705105dee7c97fe26"
SHA256 = "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
INFO = "Looks for specific offsets of c.wnry and t.wnry strings"
strings:
$cwnry = { 63 2e 77 6e 72 79 }
$twnry = { 74 2e 77 6e 72 79 }
condition:
$cwnry at 262324 and $twnry at 267672 and $cwnry at 284970
}
rule ransom_telefonica : TELEF
{
meta:
description = "Detect the risk of Ransomware WannaCry Rule 6"
detail = "Ransmoware Telefonica"
md5 = "7f7ccaa16fb15eb1c7399d422f8363e8"
sha256 = "2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd"
strings:
$a = "RegCreateKeyW" wide ascii nocase
$b = "cmd.exe /c"
$c = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" ascii
$d = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" ascii
$e = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" ascii
$f = "tasksche.exe"
condition:
uint16(0) == 0x5A4D and $a and for all of ($b, $c, $d, $e, $f) : (@ > @a)
}
rule Wanna_Cry_Ransomware_Generic {
meta:
description = "Detect the risk of Ransomware WannaCry Rule 7"
detail = "Detects WannaCry Ransomware on Disk and in Virtual Page"
hash0 = "4DA1F312A214C07143ABEEAFB695D904"
strings:
$s0 = {410044004D0049004E0024}
$s1 = "WannaDecryptor"
$s2 = "WANNACRY"
$s3 = "Microsoft Enhanced RSA and AES Cryptographic"
$s4 = "PKS"
$s5 = "StartTask"
$s6 = "wcry@123"
$s7 = {2F6600002F72}
$s8 = "unzip 0.15 Copyrigh"
$s9 = "Global\\WINDOWS_TASKOSHT_MUTEX"
$s10 = "Global\\WINDOWS_TASKCST_MUTEX"
$s11 = {7461736B736368652E657865000000005461736B5374617274000000742E776E7279000069636163}
$s12 = {6C73202E202F6772616E742045766572796F6E653A46202F54202F43202F5100617474726962202B68}
$s13 = "WNcry@2ol7"
$s14 = "wcry@123"
$s15 = "Global\\MsWinZonesCacheCounterMutexA"
condition:
$s0 and $s1 and $s2 and $s3 or $s4 and $s5 and $s6 and $s7 or $s8 and $s9 and $s10 or $s11 and $s12 or $s13 or $s14 or $s15
}
rule WannaCry_Ransomware {
meta:
description = "Detect the risk of Ransomware WannaCry Rule 8"
hash1 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
strings:
$x1 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii
$x2 = "taskdl.exe" fullword ascii
$x3 = "tasksche.exe" fullword ascii
$x4 = "Global\\MsWinZonesCacheCounterMutexA" fullword ascii
$x5 = "WNcry@2ol7" fullword ascii
$x6 = "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" ascii
$x7 = "mssecsvc.exe" fullword ascii
$x8 = "C:\\%s\\qeriuwjhrf" fullword ascii
$x9 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii
$s1 = "C:\\%s\\%s" fullword ascii
$s2 = "<!-- Windows 10 --> " fullword ascii
$s3 = "cmd.exe /c \"%s\"" fullword ascii
$s4 = "msg/m_portuguese.wnry" fullword ascii
$s5 = "\\\\192.168.56.20\\IPC$" fullword wide
$s6 = "\\\\172.16.99.5\\IPC$" fullword wide
$op1 = { 10 ac 72 0d 3d ff ff 1f ac 77 06 b8 01 00 00 00 }
$op2 = { 44 24 64 8a c6 44 24 65 0e c6 44 24 66 80 c6 44 }
$op3 = { 18 df 6c 24 14 dc 64 24 2c dc 6c 24 5c dc 15 88 }
$op4 = { 09 ff 76 30 50 ff 56 2c 59 59 47 3b 7e 0c 7c }
$op5 = { c1 ea 1d c1 ee 1e 83 e2 01 83 e6 01 8d 14 56 }
$op6 = { 8d 48 ff f7 d1 8d 44 10 ff 23 f1 23 c1 }
condition:
uint16(0) == 0x5a4d and filesize < 10000KB and ( 1 of ($x*) and 1 of ($s*) or 3 of ($op*) )
}
rule WannaCry_Ransomware_Gen {
meta:
description = "Detect the risk of Ransomware WannaCry Rule 9"
hash1 = "9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05"
hash2 = "8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df"
hash3 = "4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359"
strings:
$s1 = "__TREEID__PLACEHOLDER__" fullword ascii
$s2 = "__USERID__PLACEHOLDER__" fullword ascii
$s3 = "Windows for Workgroups 3.1a" fullword ascii
$s4 = "PC NETWORK PROGRAM 1.0" fullword ascii
$s5 = "LANMAN1.0" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and all of them
}
rule WannCry_m_vbs {
meta:
description = "Detect the risk of Ransomware WannaCry Rule 10"
detail = "Detects WannaCry Ransomware VBS"
hash1 = "51432d3196d9b78bdc9867a77d601caffd4adaa66dcac944a5ba0b3112bbea3b"
strings:
$x1 = ".TargetPath = \"C:\\@" ascii
$x2 = ".CreateShortcut(\"C:\\@" ascii
$s3 = " = WScript.CreateObject(\"WScript.Shell\")" ascii
condition:
( uint16(0) == 0x4553 and filesize < 1KB and all of them )
}
rule WannCry_BAT {
meta:
description = "Detect the risk of Ransomware WannaCry Rule 11"
detail = "Detects WannaCry Ransomware BATCH File"
hash1 = "f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077"
strings:
$s1 = "@.exe\">> m.vbs" ascii
$s2 = "cscript.exe //nologo m.vbs" fullword ascii
$s3 = "echo SET ow = WScript.CreateObject(\"WScript.Shell\")> " ascii
$s4 = "echo om.Save>> m.vbs" fullword ascii
condition:
( uint16(0) == 0x6540 and filesize < 1KB and 1 of them )
}
rule WannaCry_RansomNote {
meta:
description = "Detect the risk of Ransomware WannaCry Rule 12"
detail = "Detects WannaCry Ransomware Note"
hash1 = "4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e"
strings:
$s1 = "A: Don't worry about decryption." fullword ascii
$s2 = "Q: What's wrong with my files?" fullword ascii
condition:
( uint16(0) == 0x3a51 and filesize < 2KB and all of them )
}
rule lazaruswannacry {
meta:
description = "Detect the risk of Ransomware WannaCry Rule 13"
detail = "Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta"
hash = "9c7c7149387a1c79679a87dd1ba755bc"
hash = "ac21c8ad899727137c4b94458d7aa8d8"
strings:
$a1 = { 51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75 04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01 46 56 E8 }
$a2 = { 03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00 44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00 68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00 FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0 08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0 10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0 2B C0 2C C0 FF FE }
condition:
uint16(0) == 0x5A4D and filesize < 15000000 and all of them
}
import "pe"
rule WannaCry_Ransomware_Dropper
{
meta:
description = "Detect the risk of Ransomware WannaCry Rule 14"
detail = "WannaCry Ransomware Dropper"
strings:
$s1 = "cmd.exe /c \"%s\"" fullword ascii
$s2 = "tasksche.exe" fullword ascii
$s3 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii
$s4 = "Global\\MsWinZonesCacheCounterMutexA" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 4MB and all of them
}
rule WannaCry_SMB_Exploit
{
meta:
description = "Detect the risk of Ransomware WannaCry Rule 15"
detail = "WannaCry SMB Exploit"
strings:
$s1 = { 53 4D 42 72 00 00 00 00 18 53 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 00 00 40 00 00 62 00 02 50 43 20 4E 45 54 57 4F 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 57 69 6E 64 6F 77 73 20 66 6F 72 20 57 6F 72 6B 67 72 6F 75 70 73 20 33 2E 31 61 00 02 4C 4D 31 2E 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E 31 00 02 4E 54 20 4C 4D 20 30 2E 31 32 00 00 00 00 00 00 00 88 FF 53 4D 42 73 00 00 00 00 18 07 C0 }
condition:
uint16(0) == 0x5a4d and filesize < 4MB and all of them and pe.imports("ws2_32.dll", "connect") and pe.imports("ws2_32.dll", "send") and pe.imports("ws2_32.dll", "recv") and pe.imports("ws2_32.dll", "socket") and pe.imports("ws2_32.dll", "closesocket")
}
rule wannacry_static_ransom : wannacry_static_ransom
{
meta:
description = "Detect the risk of Ransomware WannaCry Rule 16"
detail = "Detects WannaCryptor spreaded during 2017-May-12th campaign and variants"
strings:
$mutex01 = "Global\\MsWinZonesCacheCounterMutexA" ascii
$lang01 = "m_bulgarian.wnr" ascii
$lang02 = "m_vietnamese.wnry" ascii
$startarg01 = "StartTask" ascii
$startarg02 = "TaskStart" ascii
$startarg03 = "StartSchedule" ascii
$wcry01 = "WanaCrypt0r" ascii wide
$wcry02 = "WANACRY" ascii
$wcry03 = "WANNACRY" ascii
$wcry04 = "WNCRYT" ascii wide
$forig01 = ".wnry\x00" ascii
$fvar01 = ".wry\x00" ascii
condition:
($mutex01 or any of ($lang*)) and ( $forig01 or all of ($fvar*) ) and any of ($wcry*) and any of ($startarg*)
}
rule wannacry_memory_ransom : wannacry_memory_ransom
{
meta:
description = "Detect the risk of Ransomware WannaCry Rule 17"
detail = "Detects WannaCryptor spreaded during 2017-May-12th campaign and variants in memory"
strings:
$s01 = "%08X.eky"
$s02 = "%08X.pky"
$s03 = "%08X.res"
$s04 = "%08X.dky"
$s05 = "@WanaDecryptor@.exe"
condition:
all of them
}
rule worm_ms17_010 : worm_ms17_010
{
meta:
description = "Detect the risk of Ransomware WannaCry Rule 18"
detail = "Detects Worm used during 2017-May-12th WannaCry campaign, which is based on ETERNALBLUE"
strings:
$s01 = "__TREEID__PLACEHOLDER__" ascii
$s02 = "__USERID__PLACEHOLDER__@" ascii
$s03 = "SMB3"
$s05 = "SMBu"
$s06 = "SMBs"
$s07 = "SMBr"
$s08 = "%s -m security" ascii
$s09 = "%d.%d.%d.%d"
$payloadwin2000_2195 ="\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00"
$payload2000_50 ="\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00\x2e\x00\x30\x00\x00\x00"
condition:
all of them
}

12
yaraRules/Ransom.Zeppelin.yar Normal file
View File

@@ -0,0 +1,12 @@
rule Ransom_Zeppelin {
meta:
description= "Detect the risk of Ransomware Zeppelin Rule 1"
strings:
$op1 = {558BEC83C4E4538B1833C08945F05533D28BC3E8}
$op2 = {555756535052546A076A0168DEFAED0E52FF2514}
$op3 = {8B45088378F004721E8B45088178F40010000075}
$op4 = {558BEC515356578945FC33D25568AF3D400064FF}
$x = "TZeppelinU" ascii wide
condition:
uint16(0) == 0x5a4d and (all of ($op*) or ($x))
}

12
yaraRules/Ransom.cryt0y.yar Normal file
View File

@@ -0,0 +1,12 @@
rule Ransom_cryt0y {
meta:
description= "Detect the risk of Ransomware Cryt0y Rule 1"
hash1 = "6d8dd5a564523b6f8597dd9009a74395bb48e5e1a85947157ced38034b20b6d4"
hash2 = "fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997"
strings:
$s1 = "You can decrypt, the encrypted files" ascii
$s2 = "Asymmetric means that there are two different keys. This" ascii
$s3 = "URL=file:///C:/ProgramData/anotherfile.exe" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and any of them
}