1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule ransom_comodosec_mrcr1 {
meta:
author = " J from THL <j@techhelplist.com>"
date = "2017/01"
reference = "https://virustotal.com/en/file/75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa/analysis/"
version = 1
maltype = "Ransomware"
filetype = "memory"
strings:
$text01 = "WebKitFormBoundary"
$text02 = "Start NetworkScan"
$text03 = "Start DriveScan"
$text04 = "Start CryptFiles"
$text05 = "cmd /c vssadmin delete shadows /all /quiet"
$text06 = "isAutorun:"
$text07 = "isNetworkScan:"
$text08 = "isUserDataLast:"
$text09 = "isCryptFileNames:"
$text10 = "isChangeFileExts:"
$text11 = "isPowerOffWindows:"
$text12 = "GatePath:"
$text13 = "GatePort:"
$text14 = "DefaultCryptKey:"
$text15 = "UserAgent:"
$text16 = "Mozilla_"
$text17 = "On Error Resume Next"
$text18 = "Content-Disposition: form-data; name=\"uid\""
$text19 = "Content-Disposition: form-data; name=\"uname\""
$text20 = "Content-Disposition: form-data; name=\"cname\""
$regx21 = /\|[0-9a-z]{2,5}\|\|[0-9a-z]{2,5}\|\|[0-9a-z]{2,5}\|\|[0-9a-z]{2,5}\|/
condition:
10 of them
}