1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule CryptoLocker_set1
{
meta:
author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
date = "2014-04-13"
description = "Detection of Cryptolocker Samples"
strings:
$string0 = "static"
$string1 = " kscdS"
$string2 = "Romantic"
$string3 = "CompanyName" wide
$string4 = "ProductVersion" wide
$string5 = "9%9R9f9q9"
$string6 = "IDR_VERSION1" wide
$string7 = " </trustInfo>"
$string8 = "LookFor" wide
$string9 = ":n;t;y;"
$string10 = " <requestedExecutionLevel level"
$string11 = "VS_VERSION_INFO" wide
$string12 = "2.0.1.0" wide
$string13 = "<assembly xmlns"
$string14 = " <trustInfo xmlns"
$string15 = "srtWd@@"
$string16 = "515]5z5"
$string17 = "C:\\lZbvnoVe.exe" wide
condition:
8 of ($string*)
}
rule CryptoLocker_rule2
{
meta:
author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
date = "2014-04-14"
description = "Detection of CryptoLocker Variants"
strings:
$string0 = "2.0.1.7" wide
$string1 = " <security>"
$string2 = "Romantic"
$string3 = "ProductVersion" wide
$string4 = "9%9R9f9q9"
$string5 = "IDR_VERSION1" wide
$string6 = "button"
$string7 = " </security>"
$string8 = "VFileInfo" wide
$string9 = "LookFor" wide
$string10 = " </requestedPrivileges>"
$string11 = " uiAccess"
$string12 = " <trustInfo xmlns"
$string13 = "last.inf"
$string14 = " manifestVersion"
$string15 = "FFFF04E3" wide
$string16 = "3,31363H3P3m3u3z3"
condition:
8 of ($string*)
}