Merge pull request #260 from mikesxrs/patch-4

Update RANSOM_MS17-010_Wannacrypt.yar

Merge pull request #260 from mikesxrs/patch-4
Update RANSOM_MS17-010_Wannacrypt.yar
472fbbc2 · Antonio Sánchez · GitHub · 8c9a29c5 · 7f67a315 · 472fbbc2
Commit 472fbbc2 authored Jul 11, 2017 by Antonio Sánchez Committed by GitHub Jul 11, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 38 additions and 0 deletions

RANSOM_MS17-010_Wannacrypt.yar malware/RANSOM_MS17-010_Wannacrypt.yar +38 -0

No files found.
--- a/malware/RANSOM_MS17-010_Wannacrypt.yar
+++ b/malware/RANSOM_MS17-010_Wannacrypt.yar
@@ -24,6 +24,7 @@ rule MS17_010_WanaCry_worm {
 	condition:
 		all of them
 }
+
 /*
 Four YARA rules to check for payloads on systems. Thanks to sinkholing, encyrption may not occur, BUT you may still have binaries lying around.
 If you get a match for "WannaDecryptor" and not for Wanna_Sample, then you may have a variant!
@@ -49,6 +50,7 @@ rule WannaDecryptor: WannaDecryptor
        condition:
                3 of them
 }
+
 rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549
 {
        meta:
@@ -65,6 +67,7 @@ rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bb
        condition:
                $taskdl at 3419456 and $taskse at 3422953
 }
+
 rule Wanna_Sample_4da1f312a214c07143abeeafb695d904: Wanna_Sample_4da1f312a214c07143abeeafb695d904
 {
        meta:
@@ -260,3 +263,38 @@ rule lazaruswannacry {
   condition:
      uint16(0) == 0x5A4D and filesize < 15000000 and all of them
 }
+
+/* Cylance Rule */
+
+ import "pe"
+ 
+ rule WannaCry_Ransomware_Dropper
+ {
+ meta:
+	description = "WannaCry Ransomware Dropper"
+ 	reference = "https://www.cylance.com/en_us/blog/threat-spotlight-inside-the-wannacry-attack.html"
+ 	date = "2017-05-12"
+
+strings:
+	$s1 = "cmd.exe /c \"%s\"" fullword ascii
+ 	$s2 = "tasksche.exe" fullword ascii
+ 	$s3 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii
+ 	$s4 = "Global\\MsWinZonesCacheCounterMutexA" fullword ascii
+ 
+ condition:
+ 	uint16(0) == 0x5a4d and filesize < 4MB and all of them
+}
+
+rule WannaCry_SMB_Exploit
+{
+ meta:
+ 	description = "WannaCry SMB Exploit"
+ 	reference = "https://www.cylance.com/en_us/blog/threat-spotlight-inside-the-wannacry-attack.html"
+ 	date = "2017-05-12"
+ 
+ strings:
+ 	$s1 = { 53 4D 42 72 00 00 00 00 18 53 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 00 00 40 00 00 62 00 02 50 43 20 4E 45 54 57 4F 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 57 69 6E 64 6F 77 73 20 66 6F 72 20 57 6F 72 6B 67 72 6F 75 70 73 20 33 2E 31 61 00 02 4C 4D 31 2E 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E 31 00 02 4E 54 20 4C 4D 20 30 2E 31 32 00 00 00 00 00 00 00 88 FF 53 4D 42 73 00 00 00 00 18 07 C0 }
+ 
+ condition:
+ 	uint16(0) == 0x5a4d and filesize < 4MB and all of them and pe.imports("ws2_32.dll", "connect") and pe.imports("ws2_32.dll", "send") and pe.imports("ws2_32.dll", "recv") and pe.imports("ws2_32.dll", "socket") and pe.imports("ws2_32.dll", "closesocket")
+ }