19 lines
759 B
Plaintext
19 lines
759 B
Plaintext
rule Ransom_BCrypt {
|
|
meta:
|
|
description= "Detect the risk of Ransomware BCrypt Rule 1"
|
|
hash1 = "9b710b07d9192d590ecf8be939ce8ff44e23e64569687f636995270c618582a7"
|
|
hash2 = "e47e4060f7a53eb7851b4f9622dccead3594b4af759f882f700cb1737b5f09c5"
|
|
strings:
|
|
$s1 = "https://www.douban.com/note/693052956/" fullword ascii
|
|
$s2 = "C:\\windows64.ntd" fullword ascii
|
|
$s3 = "AliWorkbench.exe" fullword ascii
|
|
$s4 = "C:\\windows64-2.ntd" fullword ascii
|
|
$s5 = "/bEncrypt" fullword wide
|
|
$s6 = "unname_1989\\" fullword wide
|
|
$s7 = "libcef.dll" fullword wide
|
|
$s8 = "C:\\123456789.txt" fullword ascii
|
|
$s9 = "SearchCompterFileEncrypt.dll" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and 2 of them
|
|
}
|