Create RANSOM_Shiva

malware/RANSOM_Shiva

+rule unpacked_shiva_ransomware {
+
+   meta:
+
+      description = "Rule to detect an unpacked sample of Shiva ransopmw"
+      author = "Marc Rivero | @seifreed"
+      reference = "https://twitter.com/malwrhunterteam/status/1037424962569732096"
+    
+   strings:
+
+      $s1 = "c:\\Users\\sys\\Desktop\\v 0.5\\Shiva\\Shiva\\obj\\Debug\\shiva.pdb" fullword ascii
+      $s2 = "This email will be as confirmation you are ready to pay for decryption key." fullword wide
+      $s3 = "Your important files are now encrypted due to a security problem with your PC!" fullword wide
+      $s4 = "write.php?info=" fullword wide
+      $s5 = " * Do not try to decrypt your data using third party software, it may cause permanent data loss." fullword wide
+      $s6 = " * Do not rename encrypted files." fullword wide
+      $s7 = ".compositiontemplate" fullword wide
+      $s8 = "You have to pay for decryption in Bitcoins. The price depends on how fast you write to us." fullword wide
+      $s9 = "\\READ_IT.txt" fullword wide
+      $s10 = ".lastlogin" fullword wide
+      $s11 = ".logonxp" fullword wide
+      $s12 = " * Decryption of your files with the help of third parties may cause increased price" fullword wide
+      $s13 = "After payment we will send you the decryption tool that will decrypt all your files." fullword wide
+   
+   condition:
+
+      ( uint16(0) == 0x5a4d and filesize < 800KB ) and all of them 
+}