create RANSOM_Sigma.yar

add new rule for Sigma ransomware

create RANSOM_Sigma.yar
add new rule for Sigma ransomware
92983d44 · techhelplist · GitHub · a03c6771 · 92983d44
Unverified Commit 92983d44 authored May 09, 2018 by techhelplist Committed by GitHub May 09, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 0 deletions

RANSOM_Sigma.yar malware/RANSOM_Sigma.yar +26 -0

No files found.
--- a/malware/RANSOM_Sigma.yar
+++ b/malware/RANSOM_Sigma.yar
+
+rule sigma_ransomware {
+
+  meta:
+    author = "J from THL <j@techhelplist.com>"
+    date = "20180509"
+    reference1 = "https://www.virustotal.com/#/file/705ad78bf5503e6022f08da4c347afb47d4e740cfe6c39c08550c740c3be96ba"
+    reference2 = "https://www.virustotal.com/#/file/bb3533440c27a115878ae541aba3bda02d441f3ea1864b868862255aabb0c8ff"
+    version = 1
+    maltype = "Ransomware"
+    filetype = "memory"
+
+  strings:
+    $a = ".php?"
+    $b = "uid="
+    $c = "&uname="
+    $d = "&os="
+    $e = "&pcname="
+    $f = "&total="
+    $g = "&country="
+    $h = "&network="
+    $i = "&subid="
+
+  condition:
+    all of them
+}