1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-03-24
Identifier: Petya Ransomware
*/
/* Rule Set ----------------------------------------------------------------- */
rule Petya_Ransomware {
meta:
description = "Detects Petya Ransomware"
author = "Florian Roth"
reference = "http://www.heise.de/newsticker/meldung/Erpressungs-Trojaner-Petya-riegelt-den-gesamten-Rechner-ab-3150917.html"
date = "2016-03-24"
hash = "26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739"
strings:
$a1 = "<description>WinRAR SFX module</description>" fullword ascii
$s1 = "BX-Proxy-Manual-Auth" fullword wide
$s2 = "<!--The ID below indicates application support for Windows 10 -->" fullword ascii
$s3 = "X-HTTP-Attempts" fullword wide
$s4 = "@CommandLineMode" fullword wide
$s5 = "X-Retry-After" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 500KB and $a1 and 3 of ($s*)
}
rule Ransom_Petya {
meta:
description = "Regla para detectar Ransom.Petya con md5 AF2379CC4D607A45AC44D62135FB7015"
author = "CCN-CERT"
version = "1.0"
strings:
$a1 = { C1 C8 14 2B F0 03 F0 2B F0 03 F0 C1 C0 14 03 C2 }
$a2 = { 46 F7 D8 81 EA 5A 93 F0 12 F7 DF C1 CB 10 81 F6 }
$a3 = { 0C 88 B9 07 87 C6 C1 C3 01 03 C5 48 81 C3 A3 01 00 00 }
condition:
all of them
}