Merge pull request #259 from mikesxrs/patch-3

Create RANSOM_DoublePulsar_Petya.yar

malware/RANSOM_DoublePulsar_Petya.yar

+rule DoublePulsarXor_Petya
+{
+ meta:
+   description = "Rule to hit on the XORed DoublePulsar shellcode"
+   author = "Patrick Jones"
+   company = "Booz Allen Hamilton"
+   reference1 ="https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html"
+   reference2 = "https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf"
+   date = "2017-06-28"
+   hash = "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"
+   hash = "64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1"
+ strings:
+   $DoublePulsarXor_Petya = { FD 0C 8C 5C B8 C4 24 C5 CC CC CC 0E E8 CC 24 6B CC CC CC 0F 24 CD CC CC CC 27 5C 97 75 BA CD CC CC C3 FE }
+ condition:
+   $DoublePulsarXor_Petya
+}
+
+rule DoublePulsarDllInjection_Petya
+{
+ meta:
+  description = "Rule to hit on the XORed DoublePulsar DLL injection shellcode"
+  author = "Patrick Jones"
+  company = "Booz Allen Hamilton"
+  reference1 ="https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html"
+  reference2 = "https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf"
+  date = "2017-06-28"
+  hash = "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"
+  hash = "64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1" 
+ strings:
+   $DoublePulsarDllInjection_Petya = { 45 20 8D 93 8D 92 8D 91 8D 90 92 93 91 97 0F 9F 9E 9D 99 84 45 29 84 4D 20 CC CD CC CC 9B 84 45 03 84 45 14 84 45 49 CC 33 33 33 24 77 CC CC CC 84 45 49 C4 33 33 33 24 84 CD CC CC 84 45 49 DC 33 33 33 84 47 49 CC 33 33 33 84 47 41 }
+ condition:
+   $DoublePulsarDllInjection_Petya
+}