Add files via upload

Sample of worm exploiting MS17-010 that 12/05/2017 attacked Telefonica Spain and other companies around the globe.

Add files via upload
Sample of worm exploiting MS17-010 that 12/05/2017 attacked Telefonica Spain and other companies around the globe.
5be0f43f · Felipe Molina · GitHub · 7c0c7683 · 5be0f43f
Commit 5be0f43f authored May 12, 2017 by Felipe Molina Committed by GitHub May 12, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 0 deletions

malw_ms17-010_wannacrypt.yar malware/malw_ms17-010_wannacrypt.yar +27 -0

No files found.
--- a/malware/malw_ms17-010_wannacrypt.yar
+++ b/malware/malw_ms17-010_wannacrypt.yar
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule MS17_010_WanaCry_worm {
+	meta:
+		description = "Worm exploiting MS17-010 and dropping WannaCry Ransomware"
+		author = "Felipe Molina (@felmoltor)"
+		reference = "https://www.exploit-db.com/exploits/41987/"
+		date = "2017/05/12"
+	strings:
+		$ms17010_str1="PC NETWORK PROGRAM 1.0"
+		$ms17010_str2="LANMAN1.0"
+		$ms17010_str3="Windows for Workgroups 3.1a"
+		$ms17010_str4="__TREEID__PLACEHOLDER__"
+		$ms17010_str5="__USERID__PLACEHOLDER__"
+		$wannacry_payload_substr1 = "h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j"
+		$wannacry_payload_substr2 = "h54WfF9cGigWFEx92bzmOd0UOaZlM"
+		$wannacry_payload_substr3 = "tpGFEoLOU6+5I78Toh/nHs/RAP"
+
+	condition:
+		all of them
+}
\ No newline at end of file