Create RANSOM_termite

eb858331 · Marc Rivero López · GitHub · c57d61c3 · eb858331
Unverified Commit eb858331 authored Sep 02, 2018 by Marc Rivero López Committed by GitHub Sep 02, 2018
Show whitespace changes
Inline Side-by-side

Showing with 23 additions and 0 deletions

RANSOM_termite malware/RANSOM_termite +23 -0

No files found.
--- a/malware/RANSOM_termite
+++ b/malware/RANSOM_termite
+rule termite_ransomware {
+   meta:
+      description = "Rule to detect Termite Ransomware"
+      author = "Marc Rivero | @seifreed"
+      reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
+   strings:
+      $s1 = "C:\\Windows\\SysNative\\mswsock.dll" fullword ascii
+      $s2 = "C:\\Windows\\SysWOW64\\mswsock.dll" fullword ascii
+      $s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Termite.exe" fullword ascii
+      $s4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Payment.exe" fullword ascii
+      $s5 = "C:\\Windows\\Termite.exe" fullword ascii
+      $s6 = "\\Shell\\Open\\Command\\" fullword ascii
+      $s7 = "t314.520@qq.com" fullword ascii
+      $s8 = "(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG" fullword ascii
+   condition:
+      ( uint16(0) == 0x5a4d and filesize < 6000KB ) and all of them 
+}