1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
// yara rules that can cross boundaries between the various sets/types... more general detection signatures
import "pe"
rule wiper_unique_strings
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
company = "novetta"
strings:
$a = "C!@I#%VJSIEOTQWPVz034vuA"
$b = "BAISEO%$2fas9vQsfvx%$"
$c = "1.2.7.f-hanba-win64-v1"
$d = "md %s© %s\\*.* %s"
$e = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\""
$f = "Ge.tVol. .umeIn..for mati.onW"
condition:
$a or $b or $c or $d or $e or $f
}
rule wiper_encoded_strings
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
company = "novetta"
strings:
$scr = {89 D4 C4 D5 00 00 00}
$explorer = {E2 DF D7 CB C8 D5 C2 D5 89 C2 DF C2 00 00 00 }
$kernel32 = {CC C2 D5 C9 C2 CB 94 95 89 C3 CB CB 00 00 }
condition:
$scr or $explorer or $kernel32
}
rule createP2P
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$ = "CreatP2P Thread" wide
condition:
any of them
}
rule firewallOpener
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
strings:
$ = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\""
condition:
any of them
}