Update and rename MALW_MS17-010_Wannacrypt.yar to RANSOM_MS17-010_Wannacrypt.yar

4b6c6047 · mmorenog · GitHub · 29de758c · 4b6c6047
Commit 4b6c6047 authored May 17, 2017 by mmorenog Committed by GitHub May 17, 2017
Show whitespace changes
Inline Side-by-side

Showing with 1 additions and 42 deletions

RANSOM_MS17-010_Wannacrypt.yar malware/RANSOM_MS17-010_Wannacrypt.yar +1 -42

No files found.
--- a/malware/MALW_MS17-010_Wannacrypt.yar
+++ b/malware/MALW_MS17-010_Wannacrypt.yar
@@ -116,48 +116,7 @@ rule ransom_telefonica : TELEF
  condition:
    uint16(0) == 0x5A4D and $a and for all of ($b, $c, $d, $e, $f) : (@ > @a)
 }
-rule WannaDecryptor: WannaDecryptor
-{
- meta: description = "Detection for common strings of WannaDecryptor"
- strings: $id1 = "taskdl.exe"
- $id2 = "taskse.exe"
-$id3 = "r.wnry" $id4 = "s.wnry"
-$id5 = "t.wnry"
-$id6 = "u.wnry"
-$id7 = "msg/m_"
- condition: 3 of them
-}
-rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549:
-Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549
-{
- meta: description = "Specific sample match for WannaCryptor" MD5 = "84c82835a5d21bbcf75a61706d8ab549"
-SHA1 = "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" SHA256 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
- INFO = "Looks for 'taskdl' and 'taskse' at known offsets"
- strings:
- $taskdl = { 00 74 61 73 6b 64 6c } $taskse = { 00 74 61 73 6b 73 65 }
- condition: $taskdl at 3419456 and $taskse at 3422953
-}
-rule Wanna_Sample_4da1f312a214c07143abeeafb695d904:
-Wanna_Sample_4da1f312a214c07143abeeafb695d904
-{
- meta:
- description = "Specific sample match for WannaCryptor" MD5 = "4da1f312a214c07143abeeafb695d904" SHA1 = "b629f072c9241fd2451f1cbca2290197e72a8f5e"
-SHA256 = "aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c" INFO = "Looks for offsets of r.wry and s.wry instances"
- strings: $rwnry = { 72 2e 77 72 79 } $swnry = { 73 2e 77 72 79 }
- condition:
- $rwnry at 88195 and $swnry at 88656 and $rwnry at 4495639
-}
-rule NHS_Strain_Wanna: NHS_Strain_Wanna
-{
- meta: description = "Detection for worm-strain bundle of Wcry, DOublePulsar"
- MD5 = "db349b97c37d22f5ea1d1841e3c89eb4"
- SHA1 = "e889544aff85ffaf8b0d0da705105dee7c97fe26" SHA256 = "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
-INFO = "Looks for specific offsets of c.wnry and t.wnry strings"
- strings:
- $cwnry = { 63 2e 77 6e 72 79 }
-$twnry = { 74 2e 77 6e 72 79 }
- condition: $cwnry at 262324 and $twnry at 267672 and $cwnry at 284970
-}
+
 rule Wanna_Cry_Ransomware_Generic
 {
 meta: