Sneed-Reactivity/yara-mikesxrs/Booz Allen Hamilton/Double_Pulsar_Petya.yar

34 lines
1.6 KiB
Text
Raw Permalink Normal View History

rule DoublePulsarXor_Petya
{
meta:
description = "Rule to hit on the XORed DoublePulsar shellcode"
author = "Patrick Jones"
company = "Booz Allen Hamilton"
reference1 ="https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html"
reference2 = "https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf"
date = "2017-06-28"
hash = "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"
hash = "64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1"
strings:
$DoublePulsarXor_Petya = { FD 0C 8C 5C B8 C4 24 C5 CC CC CC 0E E8 CC 24 6B CC CC CC 0F 24 CD CC CC CC 27 5C 97 75 BA CD CC CC C3 FE }
condition:
$DoublePulsarXor_Petya
}
rule DoublePulsarDllInjection_Petya
{
meta:
description = "Rule to hit on the XORed DoublePulsar DLL injection shellcode"
author = "Patrick Jones"
company = "Booz Allen Hamilton"
reference1 ="https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html"
reference2 = "https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf"
date = "2017-06-28"
hash = "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"
hash = "64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1"
strings:
$DoublePulsarDllInjection_Petya = { 45 20 8D 93 8D 92 8D 91 8D 90 92 93 91 97 0F 9F 9E 9D 99 84 45 29 84 4D 20 CC CD CC CC 9B 84 45 03 84 45 14 84 45 49 CC 33 33 33 24 77 CC CC CC 84 45 49 C4 33 33 33 24 84 CD CC CC 84 45 49 DC 33 33 33 84 47 49 CC 33 33 33 84 47 41 }
condition:
$DoublePulsarDllInjection_Petya
}