SigmaHQ/rules/windows/malware/win_mal_lockergoga.yml

title: LockerGoga Ransomware
id: 74db3488-fd28-480a-95aa-b7af626de068
author: Vasiliy Burov, oscd.community
date: 2020/10/18
description: Detects LockerGoga Ransomware command line.
status: experimental
references:
    - https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
    - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
    - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
tags:
    - attack.impact
    - attack.t1486
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '-i SM-tgytutrc -s'
    condition: selection
falsepositives:
    - Unlikely
level: critical
Create win_mal_lockergoga.yml 2020-10-18 17:25:37 +00:00			`title: LockerGoga Ransomware`
			`id: 74db3488-fd28-480a-95aa-b7af626de068`
			`author: Vasiliy Burov, oscd.community`
			`date: 2020/10/18`
			`description: Detects LockerGoga Ransomware command line.`
			`status: experimental`
			`references:`
			`- https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a`
			`- https://blog.f-secure.com/analysis-of-lockergoga-ransomware/`
			`- https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/`
			`tags:`
			`- attack.impact`
			`- attack.t1486`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
			`CommandLine\|contains: '-i SM-tgytutrc -s'`
			`condition: selection`
			`falsepositives:`
			`- Unlikely`
			`level: critical`