mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-06 18:15:20 +00:00
20 lines
688 B
Plaintext
20 lines
688 B
Plaintext
|
|
rule MAL_RANSOM_COVID19_Apr20_1 {
|
|
meta:
|
|
description = "Detects ransomware distributed in COVID-19 theme"
|
|
author = "Florian Roth"
|
|
reference = "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/"
|
|
date = "2020-04-15"
|
|
hash1 = "2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326"
|
|
strings:
|
|
$s1 = "/savekey.php" wide
|
|
|
|
$op1 = { 3f ff ff ff ff ff 0b b4 }
|
|
$op2 = { 60 2e 2e 2e af 34 34 34 b8 34 34 34 b8 34 34 34 }
|
|
$op3 = { 1f 07 1a 37 85 05 05 36 83 05 05 36 83 05 05 34 }
|
|
condition:
|
|
uint16(0) == 0x5a4d and
|
|
filesize < 700KB and
|
|
2 of them
|
|
}
|