Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
2b85939f
Commit
2b85939f
authored
May 12, 2017
by
Jaume Martin
Committed by
GitHub
May 12, 2017
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #229 from joanbono/master
Added Telefonica Ransomware rule
parents
1c56ba9b
b7fb0029
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
23 additions
and
0 deletions
+23
-0
RANSOM_Telefonica.yar
malware/RANSOM_Telefonica.yar
+23
-0
No files found.
malware/RANSOM_Telefonica.yar
0 → 100644
View file @
2b85939f
import "pe"
rule ransom_telefonica : TELEF
{
meta:
author = "Joan Bono <@joan_bono>"
description = "Ransmoware Telefonica. WannaCry variant"
date = "2017-05-12"
reference = "http://www.elmundo.es/tecnologia/2017/05/12/59158a8ce5fdea194f8b4616.html"
md5 = "7f7ccaa16fb15eb1c7399d422f8363e8"
sha256 = "2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd"
strings:
$a = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" wide ascii nocase
$b = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" wide ascii nocase
$c = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" wide ascii nocase
$d = "tasksche.exe"
$e = "RegCreateKeyW" wide ascii nocase
$f = "cmd.exe /c"
condition:
pe.characteristics and
for any of ($a, $b, $c, $d, $e, $f): (@ > @a)
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
