mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-07 02:25:19 +00:00
32 lines
968 B
Plaintext
32 lines
968 B
Plaintext
/*
|
|
Yara Rule Set
|
|
Author: Florian Roth
|
|
Date: 2016-03-24
|
|
Identifier: Petya Ransomware
|
|
*/
|
|
|
|
/* Rule Set ----------------------------------------------------------------- */
|
|
|
|
rule Petya_Ransomware {
|
|
meta:
|
|
description = "Detects Petya Ransomware"
|
|
author = "Florian Roth"
|
|
reference = "http://www.heise.de/newsticker/meldung/Erpressungs-Trojaner-Petya-riegelt-den-gesamten-Rechner-ab-3150917.html"
|
|
date = "2016-03-24"
|
|
hash = "26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739"
|
|
strings:
|
|
$a1 = "<description>WinRAR SFX module</description>" fullword ascii
|
|
|
|
$s1 = "BX-Proxy-Manual-Auth" fullword wide
|
|
$s2 = "<!--The ID below indicates application support for Windows 10 -->" fullword ascii
|
|
$s3 = "X-HTTP-Attempts" fullword wide
|
|
$s4 = "@CommandLineMode" fullword wide
|
|
$s5 = "X-Retry-After" fullword wide
|
|
condition:
|
|
(
|
|
uint16(0) == 0x5a4d and filesize < 500KB and 3 of them
|
|
) or (
|
|
all of them
|
|
) and not filename matches /Google/
|
|
}
|