Sneed-Reactivity/yara-mikesxrs/iDefense/WannaCrypt0r.yara

36 lines
1 KiB
Text
Raw Permalink Normal View History

rule EQN_SMB1_PatientZero
{
meta:
description = "Detection of network traffic towards the 1st sinkholes domain - kill switch"
author = "Kiran Bandla - iDefense"
reference = "https://s3.amazonaws.com/assets.accenture.com/PDF/Accenture-Security-Ransomware.pdf"
strings:
$smb1_free_hole = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff fe 00 00 40 00 0c ff 00 00 00 04 11 0a 00 }
$ipc = "\\\\%s\\IPC$"
$userid = "__USERID__PLACEHOLDER__"
$treeid = "__TREEID__PLACEHOLDER__"
$old_c2 = "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
condition:
$smb1_free_hole and $ipc and $userid and $treeid and $old_c2
}
rule WanaCrypt0r
{
meta:
description = "Detects artifacts from WanaCrypt0r Ransomware"
author = "Kiran Bandla - iDefense"
reference = "https://s3.amazonaws.com/assets.accenture.com/PDF/Accenture-Security-Ransomware.pdf"
strings:
$a = "WanaDecryptor"
$b = "Wana Decrypt0r"
$c = "WanaCrypt0r"
$d = ".wnry"
$e = ".WNRY"
$f = "bitcoin"
$g = "vssadmin"
$h = "torproject"
condition:
4 of them
}