22 lines
936 B
Plaintext
22 lines
936 B
Plaintext
rule wannaren_ransomware
|
|
{
|
|
meta:
|
|
description = "Detect the risk of Ransomware WannaRen Rule 1"
|
|
malware_family = "Ransom:W32/WannaRen"
|
|
hash = "7b364f1c854e6891c8d09766bcc9a49420e0b5b4084d74aa331ae94e2cfb7e1d"
|
|
strings:
|
|
$sq0 = { 92 93 a91c2ea521 59 334826 }
|
|
$sq1 = { d0ce 6641 c1e9c0 41 80f652 49 c1f94d }
|
|
$sq2 = { 80f8b5 4d 63c9 f9 4d 03d9 41 }
|
|
$sq3 = { 34b7 d2ea 660fbafa56 0f99c2 32d8 660fbafaed 99 }
|
|
$sq4 = { f9 f7c70012355f 35c01f5226 f9 8d8056c800b0 f6c4b2 f9 }
|
|
$sq5 = { f5 f9 44 3aeb 45 33cd 41 }
|
|
$sq6 = { 890f c0ff12 44 b4a3 ee 2b4e70 7361 }
|
|
$sq7 = { 81c502000000 6689542500 6681d97a1e 660fabe1 660fbae1a5 8b0f 8dbf04000000 }
|
|
$sq8 = { 8d13 de11 d7 677846 f1 0d8cd45f87 bb34b98f33 }
|
|
$sq9 = { 1440 4b 41 e8???????? 397c0847 }
|
|
condition:
|
|
uint16(0) == 0x5a4d and
|
|
filesize < 21000KB and
|
|
7 of them
|
|
} |