28 lines
1.2 KiB
Text
28 lines
1.2 KiB
Text
|
rule MAL_Ransomware_GermanWiper {
|
||
|
meta:
|
||
|
description = "Detects RansomWare GermanWiper in Memory or in unpacked state"
|
||
|
author = "Frank Boldewin (@r3c0nst), modified by Florian Roth"
|
||
|
reference = "https://twitter.com/r3c0nst/status/1158326526766657538"
|
||
|
date = "2019-08-05"
|
||
|
hash_packed = "41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c"
|
||
|
hash_unpacked = "708967cad421bb2396017bdd10a42e6799da27e29264f4b5fb095c0e3503e447"
|
||
|
|
||
|
id = "e7587691-f69a-53e7-bab2-875179fbfa19"
|
||
|
strings:
|
||
|
$x_Mutex1 = "HSDFSD-HFSD-3241-91E7-ASDGSDGHH" ascii
|
||
|
$x_Mutex2 = "cFgxTERNWEVhM2V" ascii
|
||
|
|
||
|
// code patterns for process kills
|
||
|
$PurgeCode = { 6a 00 8b 47 08 50 6a 00 6a 01 e8 ?? ?? ?? ??
|
||
|
50 e8 ?? ?? ?? ?? 8b f0 8b d7 8b c3 e8 }
|
||
|
$ProcessKill1 = "sqbcoreservice.exe" ascii
|
||
|
$ProcessKill2 = "isqlplussvc.exe" ascii
|
||
|
$KillShadowCopies = "vssadmin.exe delete shadows" ascii
|
||
|
$Domain1 = "cdnjs.cloudflare.com" ascii
|
||
|
$Domain2 = "expandingdelegation.top" ascii
|
||
|
$RansomNote = "Entschluesselungs_Anleitung.html" ascii
|
||
|
condition:
|
||
|
uint16(0) == 0x5A4D and filesize < 1000KB and
|
||
|
( 1 of ($x*) or 3 of them )
|
||
|
}
|