Removing some false positives

7f805a3a · Jaume Martin · GitHub · 2b85939f · 7f805a3a
Commit 7f805a3a authored May 13, 2017 by Jaume Martin Committed by GitHub May 13, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 20 deletions

RANSOM_Telefonica.yar malware/RANSOM_Telefonica.yar +16 -20

No files found.
--- a/malware/RANSOM_Telefonica.yar
+++ b/malware/RANSOM_Telefonica.yar
-import "pe"
 rule ransom_telefonica : TELEF
 {
-	meta: 
+  meta:
-		author = "Joan Bono <@joan_bono>"
+    author = "Jaume Martin <@Xumeiquer>"
-		description = "Ransmoware Telefonica. WannaCry variant"
+    description = "Ransmoware Telefonica"
-		date = "2017-05-12"
+    date = "2017-05-13"
-		reference = "http://www.elmundo.es/tecnologia/2017/05/12/59158a8ce5fdea194f8b4616.html"
+    reference = "http://www.elmundo.es/tecnologia/2017/05/12/59158a8ce5fdea194f8b4616.html"
-		md5 = "7f7ccaa16fb15eb1c7399d422f8363e8"
+    md5 = "7f7ccaa16fb15eb1c7399d422f8363e8"
-		sha256 = "2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd"
+    sha256 = "2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd"
-	strings:	
+  strings:
-		$a = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" wide ascii nocase
+    $a = "RegCreateKeyW" wide ascii nocase
-		$b = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" wide ascii nocase
+    $b = "cmd.exe /c"
-		$c = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" wide ascii nocase
+    $c = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" ascii
-		$d = "tasksche.exe"
+    $d = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" ascii
-		$e = "RegCreateKeyW" wide ascii nocase
+    $e = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" ascii
-		$f = "cmd.exe /c"
+    $f = "tasksche.exe"
-	condition:
+  condition:
-		pe.characteristics and
+    uint16(0) == 0x5A4D and $a and for all of ($b, $c, $d, $e, $f) : (@ > @a)
-		for any of ($a, $b, $c, $d, $e, $f): (@ > @a)
 }