mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-06 18:15:20 +00:00
142 lines
5.5 KiB
Plaintext
142 lines
5.5 KiB
Plaintext
|
|
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2017-05-12
|
|
Identifier: WannaCry
|
|
Reference: https://goo.gl/HG2j5T
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule WannaCry_Ransomware {
|
|
meta:
|
|
description = "Detects WannaCry Ransomware"
|
|
author = "Florian Roth (with the help of binar.ly)"
|
|
reference = "https://goo.gl/HG2j5T"
|
|
date = "2017-05-12"
|
|
hash1 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
|
|
strings:
|
|
$x1 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii
|
|
$x2 = "taskdl.exe" fullword ascii
|
|
$x3 = "tasksche.exe" fullword ascii
|
|
$x4 = "Global\\MsWinZonesCacheCounterMutexA" fullword ascii
|
|
$x5 = "WNcry@2ol7" fullword ascii
|
|
$x6 = "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" ascii
|
|
$x7 = "mssecsvc.exe" fullword ascii
|
|
$x8 = "C:\\%s\\qeriuwjhrf" fullword ascii
|
|
$x9 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii
|
|
|
|
$s1 = "C:\\%s\\%s" fullword ascii
|
|
$s2 = "<!-- Windows 10 --> " fullword ascii
|
|
$s3 = "cmd.exe /c \"%s\"" fullword ascii
|
|
$s4 = "msg/m_portuguese.wnry" fullword ascii
|
|
$s5 = "\\\\192.168.56.20\\IPC$" fullword wide
|
|
$s6 = "\\\\172.16.99.5\\IPC$" fullword wide
|
|
|
|
$op1 = { 10 ac 72 0d 3d ff ff 1f ac 77 06 b8 01 00 00 00 }
|
|
$op2 = { 44 24 64 8a c6 44 24 65 0e c6 44 24 66 80 c6 44 }
|
|
$op3 = { 18 df 6c 24 14 dc 64 24 2c dc 6c 24 5c dc 15 88 }
|
|
$op4 = { 09 ff 76 30 50 ff 56 2c 59 59 47 3b 7e 0c 7c }
|
|
$op5 = { c1 ea 1d c1 ee 1e 83 e2 01 83 e6 01 8d 14 56 }
|
|
$op6 = { 8d 48 ff f7 d1 8d 44 10 ff 23 f1 23 c1 }
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 10000KB and ( 1 of ($x*) and 1 of ($s*) or 3 of ($op*) )
|
|
}
|
|
|
|
rule WannaCry_Ransomware_Gen {
|
|
meta:
|
|
description = "Detects WannaCry Ransomware"
|
|
author = "Florian Roth (based on rule by US CERT)"
|
|
reference = "https://www.us-cert.gov/ncas/alerts/TA17-132A"
|
|
date = "2017-05-12"
|
|
hash1 = "9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05"
|
|
hash2 = "8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df"
|
|
hash3 = "4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359"
|
|
strings:
|
|
$s1 = "__TREEID__PLACEHOLDER__" fullword ascii
|
|
$s2 = "__USERID__PLACEHOLDER__" fullword ascii
|
|
$s3 = "Windows for Workgroups 3.1a" fullword ascii
|
|
$s4 = "PC NETWORK PROGRAM 1.0" fullword ascii
|
|
$s5 = "LANMAN1.0" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and filesize < 5000KB and all of them
|
|
}
|
|
|
|
rule WannCry_m_vbs {
|
|
meta:
|
|
description = "Detects WannaCry Ransomware VBS"
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
|
author = "Florian Roth"
|
|
reference = "https://goo.gl/HG2j5T"
|
|
date = "2017-05-12"
|
|
hash1 = "51432d3196d9b78bdc9867a77d601caffd4adaa66dcac944a5ba0b3112bbea3b"
|
|
strings:
|
|
$x1 = ".TargetPath = \"C:\\@" ascii
|
|
$x2 = ".CreateShortcut(\"C:\\@" ascii
|
|
$s3 = " = WScript.CreateObject(\"WScript.Shell\")" ascii
|
|
condition:
|
|
( uint16(0) == 0x4553 and filesize < 1KB and all of them )
|
|
}
|
|
|
|
rule WannCry_BAT {
|
|
meta:
|
|
description = "Detects WannaCry Ransomware BATCH File"
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
|
author = "Florian Roth"
|
|
reference = "https://goo.gl/HG2j5T"
|
|
date = "2017-05-12"
|
|
hash1 = "f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077"
|
|
strings:
|
|
$s1 = "@.exe\">> m.vbs" ascii
|
|
$s2 = "cscript.exe //nologo m.vbs" fullword ascii
|
|
$s3 = "echo SET ow = WScript.CreateObject(\"WScript.Shell\")> " ascii
|
|
$s4 = "echo om.Save>> m.vbs" fullword ascii
|
|
condition:
|
|
( uint16(0) == 0x6540 and filesize < 1KB and 1 of them )
|
|
}
|
|
|
|
rule WannaCry_RansomNote {
|
|
meta:
|
|
description = "Detects WannaCry Ransomware Note"
|
|
license = "https://creativecommons.org/licenses/by-nc/4.0/"
|
|
author = "Florian Roth"
|
|
reference = "https://goo.gl/HG2j5T"
|
|
date = "2017-05-12"
|
|
hash1 = "4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e"
|
|
strings:
|
|
$s1 = "A: Don't worry about decryption." fullword ascii
|
|
$s2 = "Q: What's wrong with my files?" fullword ascii
|
|
condition:
|
|
( uint16(0) == 0x3a51 and filesize < 2KB and all of them )
|
|
}
|
|
|
|
/* Kaspersky Rule */
|
|
|
|
rule APT_lazaruswannacry {
|
|
meta:
|
|
description = "Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta"
|
|
date = "2017-05-15"
|
|
reference = "https://twitter.com/neelmehta/status/864164081116225536"
|
|
author = "Costin G. Raiu, Kaspersky Lab"
|
|
version = "1.0"
|
|
hash = "9c7c7149387a1c79679a87dd1ba755bc"
|
|
hash = "ac21c8ad899727137c4b94458d7aa8d8"
|
|
strings:
|
|
$a1 = { 51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75
|
|
04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01 46
|
|
56 E8 }
|
|
$a2 = { 03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00
|
|
10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00
|
|
30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00
|
|
38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00
|
|
44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00
|
|
68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00
|
|
FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0
|
|
08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0
|
|
10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0
|
|
2B C0 2C C0 FF FE }
|
|
condition:
|
|
uint16(0) == 0x5A4D and filesize < 15000000 and all of them
|
|
}
|