Create RANSOM_jeff_dev

malware/RANSOM_jeff_dev

+rule jeff_dev_ransomware {
+
+   meta:
+   
+      description = "Rule to detect Jeff DEV Ransomware"
+      author = "Marc Rivero | @seifreed"
+      reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
+      
+   strings:
+
+      $s1 = "C:\\Users\\Umut\\Desktop\\takemeon" fullword wide
+      $s2 = "C:\\Users\\Umut\\Desktop\\" fullword ascii
+      $s3 = "PRESS HERE TO STOP THIS CREEPY SOUND AND VIEW WHAT HAPPENED TO YOUR COMPUTER" fullword wide
+      $s4 = "WHAT YOU DO TO MY COMPUTER??!??!!!" fullword wide
+
+   condition:
+
+      ( uint16(0) == 0x5a4d and filesize < 5000KB ) and all of them
+}