Create RANSOM_Maze.yar

4e88977f · Bart · GitHub · d4ca8171 · 4e88977f
Unverified Commit 4e88977f authored Nov 24, 2019 by Bart Committed by GitHub Nov 24, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 0 deletions

RANSOM_Maze.yar malware/RANSOM_Maze.yar +29 -0

No files found.
--- a/malware/RANSOM_Maze.yar
+++ b/malware/RANSOM_Maze.yar
+rule Maze
+{
+meta:
+	description = "Identifies Maze ransomware in memory or unpacked."
+	author = "@bartblaze"
+	date = "2019-11"
+	tlp = "White"
+
+strings:	
+	$ = "Enc: %s" ascii wide
+	$ = "Encrypting whole system" ascii wide
+	$ = "Encrypting specified folder in --path parameter..." ascii wide
+	$ = "!Finished in %d ms!" ascii wide
+	$ = "--logging" ascii wide
+	$ = "--nomutex" ascii wide
+	$ = "--noshares" ascii wide
+	$ = "--path" ascii wide
+	$ = "Logging enabled | Maze" ascii wide
+	$ = "NO SHARES | " ascii wide
+	$ = "NO MUTEX | " ascii wide
+	$ = "Encrypting:" ascii wide
+	$ = "You need to buy decryptor in order to restore the files." ascii wide
+	$ = "Dear %s, your files have been encrypted by RSA-2048 and ChaCha algorithms" ascii wide
+	$ = "%s! Alert! %s! Alert! Dear %s Your files have been encrypted by %s! Attention! %s" ascii wide
+	$ = "DECRYPT-FILES.txt" ascii wide fullword
+
+condition:
+	5 of them
+}