Sneed-Reactivity/yara-Neo23x0/crime_covid_ransom.yar


rule MAL_RANSOM_COVID19_Apr20_1 {
   meta:
      description = "Detects ransomware distributed in COVID-19 theme"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/"
      date = "2020-04-15"
      hash1 = "2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326"
      id = "fc723d1f-e969-5af6-af57-70d00bf797f4"
   strings:
      $s1 = "/savekey.php" wide

      $op1 = { 3f ff ff ff ff ff 0b b4 }
      $op2 = { 60 2e 2e 2e af 34 34 34 b8 34 34 34 b8 34 34 34 }
      $op3 = { 1f 07 1a 37 85 05 05 36 83 05 05 36 83 05 05 34 }
   condition:
      uint16(0) == 0x5a4d and
      filesize < 700KB and
      2 of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule MAL_RANSOM_COVID19_Apr20_1 {`
			`meta:`
			`description = "Detects ransomware distributed in COVID-19 theme"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/"`
			`date = "2020-04-15"`
			`hash1 = "2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326"`
			`id = "fc723d1f-e969-5af6-af57-70d00bf797f4"`
			`strings:`
			`$s1 = "/savekey.php" wide`

			`$op1 = { 3f ff ff ff ff ff 0b b4 }`
			`$op2 = { 60 2e 2e 2e af 34 34 34 b8 34 34 34 b8 34 34 34 }`
			`$op3 = { 1f 07 1a 37 85 05 05 36 83 05 05 36 83 05 05 34 }`
			`condition:`
			`uint16(0) == 0x5a4d and`
			`filesize < 700KB and`
			`2 of them`
			`}`