Update and rename malw_ms17-010_wannacrypt.yar to MALW_MS17-010_Wannacrypt.yar

malware/MALW_MS17-010_Wannacrypt.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule MS17_010_WanaCry_worm {
+	meta:
+		description = "Worm exploiting MS17-010 and dropping WannaCry Ransomware"
+		author = "Felipe Molina (@felmoltor)"
+		reference = "https://www.exploit-db.com/exploits/41987/"
+		date = "2017/05/12"
+	strings:
+		$ms17010_str1="PC NETWORK PROGRAM 1.0"
+		$ms17010_str2="LANMAN1.0"
+		$ms17010_str3="Windows for Workgroups 3.1a"
+		$ms17010_str4="__TREEID__PLACEHOLDER__"
+		$ms17010_str5="__USERID__PLACEHOLDER__"
+		$wannacry_payload_substr1 = "h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j"
+		$wannacry_payload_substr2 = "h54WfF9cGigWFEx92bzmOd0UOaZlM"
+		$wannacry_payload_substr3 = "tpGFEoLOU6+5I78Toh/nHs/RAP"
+
+	condition:
+		all of them
+}
+/*
+Four YARA rules to check for payloads on systems. Thanks to sinkholing, encyrption may not occur, BUT you may still have binaries lying around.
+If you get a match for "WannaDecryptor" and not for Wanna_Sample, then you may have a variant!
+ 
+Check out http://yara.readthedocs.io on how to write and add a rule as below and index your
+rule by the sample hashes.  Add, share, rinse and repeat!
+*/
+ 
+rule WannaDecryptor: WannaDecryptor
+{
+        meta:
+                description = "Detection for common strings of WannaDecryptor"
+ 
+        strings:
+                $id1 = "taskdl.exe"
+                $id2 = "taskse.exe"
+                $id3 = "r.wnry"
+                $id4 = "s.wnry"
+                $id5 = "t.wnry"
+                $id6 = "u.wnry"
+                $id7 = "msg/m_"
+ 
+        condition:
+                3 of them
+}
+rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549
+{
+        meta:
+                description = "Specific sample match for WannaCryptor"
+                MD5 = "84c82835a5d21bbcf75a61706d8ab549"
+                SHA1 = "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                SHA256 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                INFO = "Looks for 'taskdl' and 'taskse' at known offsets"
+ 
+        strings:
+                $taskdl = { 00 74 61 73 6b 64 6c }
+                $taskse = { 00 74 61 73 6b 73 65 }
+ 
+        condition:
+                $taskdl at 3419456 and $taskse at 3422953
+}
+rule Wanna_Sample_4da1f312a214c07143abeeafb695d904: Wanna_Sample_4da1f312a214c07143abeeafb695d904
+{
+        meta:
+                description = "Specific sample match for WannaCryptor"
+                MD5 = "4da1f312a214c07143abeeafb695d904"
+                SHA1 = "b629f072c9241fd2451f1cbca2290197e72a8f5e"
+                SHA256 = "aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c"
+                INFO = "Looks for offsets of r.wry and s.wry instances"
+ 
+        strings:
+                $rwnry = { 72 2e 77 72 79 }
+                $swnry = { 73 2e 77 72 79 }
+ 
+        condition:
+                $rwnry at 88195 and $swnry at 88656 and $rwnry at 4495639
+}
+rule NHS_Strain_Wanna: NHS_Strain_Wanna
+{
+        meta:
+                description = "Detection for worm-strain bundle of Wcry, DOublePulsar"
+                MD5 = "db349b97c37d22f5ea1d1841e3c89eb4"
+                SHA1 = "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                SHA256 = "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                INFO = "Looks for specific offsets of c.wnry and t.wnry strings"
+ 
+        strings:
+                $cwnry = { 63 2e 77 6e 72 79 }
+                $twnry = { 74 2e 77 6e 72 79 }
+ 
+        condition:
+                $cwnry at 262324 and $twnry at 267672 and $cwnry at 284970
+}
+rule ransom_telefonica : TELEF
+{
+  meta:
+    author = "Jaume Martin <@Xumeiquer>"
+    description = "Ransmoware Telefonica"
+    date = "2017-05-13"
+    reference = "http://www.elmundo.es/tecnologia/2017/05/12/59158a8ce5fdea194f8b4616.html"
+    md5 = "7f7ccaa16fb15eb1c7399d422f8363e8"
+    sha256 = "2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd"
+  strings:
+    $a = "RegCreateKeyW" wide ascii nocase
+    $b = "cmd.exe /c"
+    $c = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" ascii
+    $d = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" ascii
+    $e = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" ascii
+    $f = "tasksche.exe"
+  condition:
+    uint16(0) == 0x5A4D and $a and for all of ($b, $c, $d, $e, $f) : (@ > @a)
+}

malware/malw_ms17-010_wannacrypt.yar

-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule MS17_010_WanaCry_worm {
-	meta:
-		description = "Worm exploiting MS17-010 and dropping WannaCry Ransomware"
-		author = "Felipe Molina (@felmoltor)"
-		reference = "https://www.exploit-db.com/exploits/41987/"
-		date = "2017/05/12"
-	strings:
-		$ms17010_str1="PC NETWORK PROGRAM 1.0"
-		$ms17010_str2="LANMAN1.0"
-		$ms17010_str3="Windows for Workgroups 3.1a"
-		$ms17010_str4="__TREEID__PLACEHOLDER__"
-		$ms17010_str5="__USERID__PLACEHOLDER__"
-		$wannacry_payload_substr1 = "h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j"
-		$wannacry_payload_substr2 = "h54WfF9cGigWFEx92bzmOd0UOaZlM"
-		$wannacry_payload_substr3 = "tpGFEoLOU6+5I78Toh/nHs/RAP"
-
-	condition:
-		all of them
-}
\ No newline at end of file