Merge pull request #360 from bartblaze/master

Create RANSOM_Maze.yar

Merge pull request #360 from bartblaze/master
Create RANSOM_Maze.yar
4c9e3bc6 · jovimon · GitHub · 6a600e71 · 4e88977f · 4c9e3bc6
Unverified Commit 4c9e3bc6 authored 5 years ago by jovimon Committed by GitHub 5 years ago
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 0 deletions

RANSOM_Maze.yar malware/RANSOM_Maze.yar +29 -0

No files found.
--- a/malware/RANSOM_Maze.yar
+++ b/malware/RANSOM_Maze.yar
+rule Maze
+{
+meta:
+	description = "Identifies Maze ransomware in memory or unpacked."
+	author = "@bartblaze"
+	date = "2019-11"
+	tlp = "White"
+
+strings:	
+	$ = "Enc: %s" ascii wide
+	$ = "Encrypting whole system" ascii wide
+	$ = "Encrypting specified folder in --path parameter..." ascii wide
+	$ = "!Finished in %d ms!" ascii wide
+	$ = "--logging" ascii wide
+	$ = "--nomutex" ascii wide
+	$ = "--noshares" ascii wide
+	$ = "--path" ascii wide
+	$ = "Logging enabled | Maze" ascii wide
+	$ = "NO SHARES | " ascii wide
+	$ = "NO MUTEX | " ascii wide
+	$ = "Encrypting:" ascii wide
+	$ = "You need to buy decryptor in order to restore the files." ascii wide
+	$ = "Dear %s, your files have been encrypted by RSA-2048 and ChaCha algorithms" ascii wide
+	$ = "%s! Alert! %s! Alert! Dear %s Your files have been encrypted by %s! Attention! %s" ascii wide
+	$ = "DECRYPT-FILES.txt" ascii wide fullword
+
+condition:
+	5 of them
+}