Skip to content

R
rules
Commit 472fbbc2 by Antonio Sánchez Committed by GitHub
Options

Merge pull request #260 from mikesxrs/patch-4 

Update RANSOM_MS17-010_Wannacrypt.yar
parents 8c9a29c5 7f67a315
Showing with 38 additions and 0 deletions
malware/RANSOM_MS17-010_Wannacrypt.yar
...@@ -24,6 +24,7 @@ rule MS17_010_WanaCry_worm { ...@@ -24,6 +24,7 @@ rule MS17_010_WanaCry_worm {
condition: condition:
all of them all of them
} }
/* /*
Four YARA rules to check for payloads on systems. Thanks to sinkholing, encyrption may not occur, BUT you may still have binaries lying around. Four YARA rules to check for payloads on systems. Thanks to sinkholing, encyrption may not occur, BUT you may still have binaries lying around.
If you get a match for "WannaDecryptor" and not for Wanna_Sample, then you may have a variant! If you get a match for "WannaDecryptor" and not for Wanna_Sample, then you may have a variant!
...@@ -49,6 +50,7 @@ rule WannaDecryptor: WannaDecryptor ...@@ -49,6 +50,7 @@ rule WannaDecryptor: WannaDecryptor
condition: condition:
3 of them 3 of them
} }
rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549 rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549
{ {
meta: meta:
...@@ -65,6 +67,7 @@ rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bb ...@@ -65,6 +67,7 @@ rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bb
condition: condition:
$taskdl at 3419456 and $taskse at 3422953 $taskdl at 3419456 and $taskse at 3422953
} }
rule Wanna_Sample_4da1f312a214c07143abeeafb695d904: Wanna_Sample_4da1f312a214c07143abeeafb695d904 rule Wanna_Sample_4da1f312a214c07143abeeafb695d904: Wanna_Sample_4da1f312a214c07143abeeafb695d904
{ {
meta: meta:
...@@ -260,3 +263,38 @@ rule lazaruswannacry { ...@@ -260,3 +263,38 @@ rule lazaruswannacry {
condition: condition:
uint16(0) == 0x5A4D and filesize < 15000000 and all of them uint16(0) == 0x5A4D and filesize < 15000000 and all of them
} }
/* Cylance Rule */
import "pe"
rule WannaCry_Ransomware_Dropper
{
meta:
description = "WannaCry Ransomware Dropper"
reference = "https://www.cylance.com/en_us/blog/threat-spotlight-inside-the-wannacry-attack.html"
date = "2017-05-12"
strings:
$s1 = "cmd.exe /c \"%s\"" fullword ascii
$s2 = "tasksche.exe" fullword ascii
$s3 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii
$s4 = "Global\\MsWinZonesCacheCounterMutexA" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 4MB and all of them
}
rule WannaCry_SMB_Exploit
{
meta:
description = "WannaCry SMB Exploit"
reference = "https://www.cylance.com/en_us/blog/threat-spotlight-inside-the-wannacry-attack.html"
date = "2017-05-12"
strings:
$s1 = { 53 4D 42 72 00 00 00 00 18 53 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 00 00 40 00 00 62 00 02 50 43 20 4E 45 54 57 4F 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 57 69 6E 64 6F 77 73 20 66 6F 72 20 57 6F 72 6B 67 72 6F 75 70 73 20 33 2E 31 61 00 02 4C 4D 31 2E 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E 31 00 02 4E 54 20 4C 4D 20 30 2E 31 32 00 00 00 00 00 00 00 88 FF 53 4D 42 73 00 00 00 00 18 07 C0 }
condition:
uint16(0) == 0x5a4d and filesize < 4MB and all of them and pe.imports("ws2_32.dll", "connect") and pe.imports("ws2_32.dll", "send") and pe.imports("ws2_32.dll", "recv") and pe.imports("ws2_32.dll", "socket") and pe.imports("ws2_32.dll", "closesocket")
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment