Added .777 ransomware rule

30ac6e7d · Daxda · 0b8764f2 · 30ac6e7d
Commit 30ac6e7d authored Jun 13, 2016 by Daxda
Show whitespace changes
Inline Side-by-side

Showing with 24 additions and 0 deletions

MW_Ransomware_777.yar malware/MW_Ransomware_777.yar +24 -0

No files found.
--- a/malware/MW_Ransomware_777.yar
+++ b/malware/MW_Ransomware_777.yar
+rule legion_777
+{
+
+    meta:
+        author = "Daxda (https://github.com/Daxda)"
+        date 2016/6/6
+        description = "Detects an UPX-unpacked .777 ransomware binary."
+        category = "Ransomware"
+        sample = "SHA256: 14d22359e76cf63bf17268cad24bac03663c8b2b8028b869f5cec10fe3f75548"
+
+    strings:
+        $s1 = "http://tuginsaat.com/wp-content/themes/twentythirteen/stats.php"
+        $s2 = "read_this_file.txt" wide // Ransom note filename.
+        $s3 = "seven_legion@india.com" // Part of the format string used to rename files.
+        $s4 = {46 4f 52 20 44 45 43 52 59 50 54 20 46 49 4c 45 53 0d 0a 53 45 4e 44 20 4f
+               4e 45 20 46 49 4c 45 20 49 4e 20 45 2d 4d 41 49 4c 0d 0a 73 65 76 65 6e 5f
+               6c 65 67 69 6f 6e 40 69 6e 64 69 61 2e 63 6f 6d } // Ransom note content.
+        $s5 = "%s._%02i-%02i-%02i-%02i-%02i-%02i_$%s$.777" // Renaming format string.
+
+    condition:
+        4 of ($s*)
+
+
+}