Skip to content

R
rules
Commit 30f5d980 by Your Mom
Options

Merge branch 'master' of https://github.com/Yara-Rules/rules

parents 791706f1 5cd16d32
Showing with 232 additions and 0 deletions
malware/MALW_Arkei.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Arkei : Arkei
{
meta:
Author = "Fumik0_"
Description = "Arkei Stealer"
Date = "2018/07/10"
Hash = "5632c89fe4c7c2c87b69d787bbf0a5b4cc535f1aa02699792888c60e0ef88fc5"
strings:
$s1 = "Arkei" wide ascii
$s2 = "/server/gate" wide ascii
$s3 = "/server/grubConfig" wide ascii
$s4 = "\\files\\" wide ascii
$s5 = "SQLite" wide ascii
condition:
all of ($s*)
}
malware/RANSOM_CryptoNar.yar 0 → 100644
rule cryptonar_ransomware {
meta:
description = "Rule to detect CryptoNar Ransomware"
author = "Marc Rivero | @seifreed"
reference = "https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/"
strings:
$s1 = "C:\\narnar\\CryptoNar\\CryptoNarDecryptor\\obj\\Debug\\CryptoNar.pdb" fullword ascii
$s2 = "CryptoNarDecryptor.exe" fullword wide
$s3 = "server will eliminate the key after 72 hours since its generation (since the moment your computer was infected). Once this has " fullword ascii
$s4 = "Do not delete this file, else the decryption process will be broken" fullword wide
$s5 = "key you received, and wait until the decryption process is done." fullword ascii
$s6 = "In order to receive your decryption key, you will have to pay $200 in bitcoins to this bitcoin address: [bitcoin address]" fullword ascii
$s7 = "Decryption process failed" fullword wide
$s8 = "CryptoNarDecryptor.KeyValidationWindow.resources" fullword ascii
$s9 = "Important note: Removing CryptoNar will not restore access to your encrypted files." fullword ascii
$s10 = "johnsmith987654@tutanota.com" fullword wide
$s11 = "Decryption process will start soon" fullword wide
$s12 = "CryptoNarDecryptor.DecryptionProgressBarForm.resources" fullword ascii
$s13 = "DecryptionProcessProgressBar" fullword wide
$s14 = "CryptoNarDecryptor.Properties.Resources.resources" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB) and all of them
}
malware/RANSOM_Pico 0 → 100644
rule pico_ransomware {
meta:
description = "Rule to detect Pico Ransomware"
author = "Marc Rivero | @seifreed"
reference = "https://twitter.com/siri_urz/status/1035138577934557184"
strings:
$s1 = "C:\\Users\\rikfe\\Desktop\\Ransomware\\ThanatosSource\\Release\\Ransomware.pdb" fullword ascii
$s2 = "\\Downloads\\README.txt" fullword ascii
$s3 = "\\Music\\README.txt" fullword ascii
$s4 = "\\Videos\\README.txt" fullword ascii
$s5 = "\\Pictures\\README.txt" fullword ascii
$s6 = "\\Desktop\\README.txt" fullword ascii
$s7 = "\\Documents\\README.txt" fullword ascii
$s8 = "/c taskkill /im " fullword ascii
$s9 = "\\AppData\\Roaming\\" fullword ascii
$s10 = "gMozilla/5.0 (Windows NT 6.1) Thanatos/1.1" fullword wide
$s11 = "AppData\\Roaming" fullword ascii
$s12 = "\\Downloads" fullword ascii
$s13 = "operator co_await" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 700KB ) and all of them
}
malware/RANSOM_Shiva 0 → 100644
rule unpacked_shiva_ransomware {
meta:
description = "Rule to detect an unpacked sample of Shiva ransopmw"
author = "Marc Rivero | @seifreed"
reference = "https://twitter.com/malwrhunterteam/status/1037424962569732096"
strings:
$s1 = "c:\\Users\\sys\\Desktop\\v 0.5\\Shiva\\Shiva\\obj\\Debug\\shiva.pdb" fullword ascii
$s2 = "This email will be as confirmation you are ready to pay for decryption key." fullword wide
$s3 = "Your important files are now encrypted due to a security problem with your PC!" fullword wide
$s4 = "write.php?info=" fullword wide
$s5 = " * Do not try to decrypt your data using third party software, it may cause permanent data loss." fullword wide
$s6 = " * Do not rename encrypted files." fullword wide
$s7 = ".compositiontemplate" fullword wide
$s8 = "You have to pay for decryption in Bitcoins. The price depends on how fast you write to us." fullword wide
$s9 = "\\READ_IT.txt" fullword wide
$s10 = ".lastlogin" fullword wide
$s11 = ".logonxp" fullword wide
$s12 = " * Decryption of your files with the help of third parties may cause increased price" fullword wide
$s13 = "After payment we will send you the decryption tool that will decrypt all your files." fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 800KB ) and all of them
}
malware/RANSOM_acroware 0 → 100644
rule screenlocker_acroware {
meta:
description = "Rule to detect Acroware ScreenLocker"
author = "Marc Rivero | @seifreed"
reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
strings:
$s1 = "C:\\Users\\patri\\Documents\\Visual Studio 2015\\Projects\\Advanced Ransi\\Advanced Ransi\\obj\\Debug\\Advanced Ransi.pdb" fullword ascii
$s2 = "All your Personal Data got encrypted and the decryption key is stored on a hidden" fullword ascii
$s3 = "alphaoil@mail2tor.com any try of removing this Ransomware will result in an instantly " fullword ascii
$s4 = "HKEY_CURRENT_USER\\SoftwareE\\Microsoft\\Windows\\CurrentVersion\\Run" fullword wide
$s5 = "webserver, after 72 hours thedecryption key will get removed and your personal" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB ) and all of them
malware/RANSOM_jeff_dev 0 → 100644
rule jeff_dev_ransomware {
meta:
description = "Rule to detect Jeff DEV Ransomware"
author = "Marc Rivero | @seifreed"
reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
strings:
$s1 = "C:\\Users\\Umut\\Desktop\\takemeon" fullword wide
$s2 = "C:\\Users\\Umut\\Desktop\\" fullword ascii
$s3 = "PRESS HERE TO STOP THIS CREEPY SOUND AND VIEW WHAT HAPPENED TO YOUR COMPUTER" fullword wide
$s4 = "WHAT YOU DO TO MY COMPUTER??!??!!!" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 5000KB ) and all of them
}
malware/RANSOM_locdoor 0 → 100644
rule locdoor_ransomware {
meta:
description = "Rule to detect Locdoor/DryCry"
author = "Marc Rivero | @seifreed"
reference = "https://twitter.com/leotpsc/status/1036180615744376832"
strings:
$s1 = "copy \"Locdoor.exe\" \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\temp00000000.exe\"" fullword ascii
$s2 = "copy wscript.vbs C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\wscript.vbs" fullword ascii
$s3 = "!! Your computer's important files have been encrypted! Your computer's important files have been encrypted!" fullword ascii
$s4 = "echo CreateObject(\"SAPI.SpVoice\").Speak \"Your computer's important files have been encrypted! " fullword ascii
$s5 = "! Your computer's important files have been encrypted! " fullword ascii
$s7 = "This program is not supported on your operating system." fullword ascii
$s8 = "echo Your computer's files have been encrypted to Locdoor Ransomware! To make a recovery go to localbitcoins.com and create a wa" ascii
$s9 = "Please enter the password." fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB ) and all of them
}
malware/RANSOM_screenlocker_5h311_1nj3c706 0 → 100644
rule screenlocker_5h311_1nj3c706 {
meta:
description = "Rule to detect the screenlocker 5h311_1nj3c706"
author = "Marc Rivero | @seifreed"
reference = "https://twitter.com/demonslay335/status/1038060120461266944"
strings:
$s1 = "C:\\Users\\Hoang Nam\\source\\repos\\WindowsApp22\\WindowsApp22\\obj\\Debug\\WindowsApp22.pdb" fullword ascii
$s2 = "cmd.exe /cREG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop /v NoChangingWallPaper /t REG_DWOR" wide
$s3 = "C:\\Users\\file1.txt" fullword wide
$s4 = "C:\\Users\\file2.txt" fullword wide
$s5 = "C:\\Users\\file.txt" fullword wide
$s6 = " /v Wallpaper /t REG_SZ /d %temp%\\IMG.jpg /f" fullword wide
$s7 = " /v DisableAntiSpyware /t REG_DWORD /d 1 /f" fullword wide
$s8 = "All your file has been locked. You must pay money to have a key." fullword wide
$s9 = "After we receive Bitcoin from you. We will send key to your email." fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 200KB ) and all of them
}
malware/RANSOM_shrug2 0 → 100644
rule shrug2_ransomware {
meta:
description = "Rule to detect Shrug2 ransomware"
author = "Marc Rivero | @seifreed"
reference = "https://blogs.quickheal.com/new-net-ransomware-shrug2/"
strings:
$s1 = "C:\\Users\\Gamer\\Desktop\\Shrug2\\ShrugTwo\\ShrugTwo\\obj\\Debug\\ShrugTwo.pdb" fullword ascii
$s2 = "http://tempacc11vl.000webhostapp.com/" fullword wide
$s4 = "Shortcut for @ShrugDecryptor@.exe" fullword wide
$s5 = "C:\\Users\\" fullword wide
$s6 = "http://clients3.google.com/generate_204" fullword wide
$s7 = "\\Desktop\\@ShrugDecryptor@.lnk" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB ) and all of them
}
malware/RANSOM_termite 0 → 100644
rule termite_ransomware {
meta:
description = "Rule to detect Termite Ransomware"
author = "Marc Rivero | @seifreed"
reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
strings:
$s1 = "C:\\Windows\\SysNative\\mswsock.dll" fullword ascii
$s2 = "C:\\Windows\\SysWOW64\\mswsock.dll" fullword ascii
$s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Termite.exe" fullword ascii
$s4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Payment.exe" fullword ascii
$s5 = "C:\\Windows\\Termite.exe" fullword ascii
$s6 = "\\Shell\\Open\\Command\\" fullword ascii
$s7 = "t314.520@qq.com" fullword ascii
$s8 = "(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 6000KB ) and all of them
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment