Ransom COVID themed

2024-11-06 10:05:18 +00:00 · 2020-04-15 21:25:44 +02:00 · 2020-04-15 21:25:44 +02:00 · 9c36c492ad
commit 9c36c492ad
parent 3294047c0b
1 changed files with 19 additions and 0 deletions
--- a/yara/crime_covid_ransom.yar
+++ b/yara/crime_covid_ransom.yar
@ -0,0 +1,19 @@
+
+rule MAL_RANSOM_COVID19_Apr20_1 {
+   meta:
+      description = "Detects ransomware distributed in COVID-19 theme"
+      author = "Florian Roth"
+      reference = "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/"
+      date = "2020-04-15"
+      hash1 = "2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326"
+   strings:
+      $s1 = "/savekey.php" wide
+
+      $op1 = { 3f ff ff ff ff ff 0b b4 }
+      $op2 = { 60 2e 2e 2e af 34 34 34 b8 34 34 34 b8 34 34 34 }
+      $op3 = { 1f 07 1a 37 85 05 05 36 83 05 05 36 83 05 05 34 }
+   condition:
+      uint16(0) == 0x5a4d and
+      filesize < 700KB and
+      2 of them
+}