23 lines
1.1 KiB
Plaintext
23 lines
1.1 KiB
Plaintext
rule Ransom_Termite {
|
|
meta:
|
|
description= "Detect the risk of Ransomware Termite Rule 1"
|
|
hash1 = "e6c015b5dc3312e08fb242b7979b59818ff1d3bef65afee4852534ed1edba5cd"
|
|
hash2 = "14acfbc63214e30d80258e7a32a0e366b0029d2119efa5b9c7126195124b71ae"
|
|
hash3 = "ac5d4062cc3514901312d7cc2691d71ec56ba71b55f02c3f1f9aebe94cb2fbea"
|
|
strings:
|
|
$s1 = "Payment.exe" fullword ascii
|
|
$s2 = "Termite.exe" fullword ascii
|
|
$s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Termite.exe" fullword ascii
|
|
$s4 = "C:\\Windows\\Termite.exe" fullword ascii
|
|
$s5 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Payment.exe" fullword ascii
|
|
$s6 = "\\Shell\\Open\\Command\\" fullword ascii
|
|
$s7 = "\\Payment.exe" fullword ascii
|
|
$s8 = "\\Termite.exe" fullword ascii
|
|
$s9 = "Software\\Microsoft\\PassWord" fullword ascii
|
|
$s10 = "takeown /f \"**\"" fullword ascii
|
|
$s11 = "\\TemporaryFile" fullword ascii
|
|
$s12 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and 8 of them
|
|
}
|