Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
29de758c
Commit
29de758c
authored
May 17, 2017
by
mmorenog
Committed by
GitHub
May 17, 2017
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update MALW_MS17-010_Wannacrypt.yar
parent
787d2671
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
63 additions
and
0 deletions
+63
-0
MALW_MS17-010_Wannacrypt.yar
malware/MALW_MS17-010_Wannacrypt.yar
+63
-0
No files found.
malware/MALW_MS17-010_Wannacrypt.yar
View file @
29de758c
...
...
@@ -116,3 +116,66 @@ rule ransom_telefonica : TELEF
condition:
uint16(0) == 0x5A4D and $a and for all of ($b, $c, $d, $e, $f) : (@ > @a)
}
rule WannaDecryptor: WannaDecryptor
{
meta: description = "Detection for common strings of WannaDecryptor"
strings: $id1 = "taskdl.exe"
$id2 = "taskse.exe"
$id3 = "r.wnry" $id4 = "s.wnry"
$id5 = "t.wnry"
$id6 = "u.wnry"
$id7 = "msg/m_"
condition: 3 of them
}
rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549:
Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549
{
meta: description = "Specific sample match for WannaCryptor" MD5 = "84c82835a5d21bbcf75a61706d8ab549"
SHA1 = "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" SHA256 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
INFO = "Looks for 'taskdl' and 'taskse' at known offsets"
strings:
$taskdl = { 00 74 61 73 6b 64 6c } $taskse = { 00 74 61 73 6b 73 65 }
condition: $taskdl at 3419456 and $taskse at 3422953
}
rule Wanna_Sample_4da1f312a214c07143abeeafb695d904:
Wanna_Sample_4da1f312a214c07143abeeafb695d904
{
meta:
description = "Specific sample match for WannaCryptor" MD5 = "4da1f312a214c07143abeeafb695d904" SHA1 = "b629f072c9241fd2451f1cbca2290197e72a8f5e"
SHA256 = "aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c" INFO = "Looks for offsets of r.wry and s.wry instances"
strings: $rwnry = { 72 2e 77 72 79 } $swnry = { 73 2e 77 72 79 }
condition:
$rwnry at 88195 and $swnry at 88656 and $rwnry at 4495639
}
rule NHS_Strain_Wanna: NHS_Strain_Wanna
{
meta: description = "Detection for worm-strain bundle of Wcry, DOublePulsar"
MD5 = "db349b97c37d22f5ea1d1841e3c89eb4"
SHA1 = "e889544aff85ffaf8b0d0da705105dee7c97fe26" SHA256 = "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
INFO = "Looks for specific offsets of c.wnry and t.wnry strings"
strings:
$cwnry = { 63 2e 77 6e 72 79 }
$twnry = { 74 2e 77 6e 72 79 }
condition: $cwnry at 262324 and $twnry at 267672 and $cwnry at 284970
}
rule Wanna_Cry_Ransomware_Generic
{
meta:
description = "Detects WannaCry Ransomware on disk and in virtual page"
author = "US-CERT Code Analysis Team"
reference = "not set"
date = "2017/05/12"
hash0 = "4DA1F312A214C07143ABEEAFB695D904"
strings:
$s0 = {410044004D0049004E0024}
$s1 = "WannaDecryptor"
$s2 = "WANNACRY"
$s3 = "Microsoft Enhanced RSA and AES Cryptographic"
$s4 = "PKS"
$s5 = "StartTask"
$s6 = "wcry@123"
$s7 = {2F6600002F72}
$s8 = "unzip 0.15 Copyrigh"
condition:
$s0 and $s1 and $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
