36 lines
1 KiB
Text
36 lines
1 KiB
Text
|
|
||
|
rule EQN_SMB1_PatientZero
|
||
|
{
|
||
|
meta:
|
||
|
description = "Detection of network traffic towards the 1st sinkholes domain - kill switch"
|
||
|
author = "Kiran Bandla - iDefense"
|
||
|
reference = "https://s3.amazonaws.com/assets.accenture.com/PDF/Accenture-Security-Ransomware.pdf"
|
||
|
strings:
|
||
|
$smb1_free_hole = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff fe 00 00 40 00 0c ff 00 00 00 04 11 0a 00 }
|
||
|
$ipc = "\\\\%s\\IPC$"
|
||
|
$userid = "__USERID__PLACEHOLDER__"
|
||
|
$treeid = "__TREEID__PLACEHOLDER__"
|
||
|
$old_c2 = "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
|
||
|
condition:
|
||
|
$smb1_free_hole and $ipc and $userid and $treeid and $old_c2
|
||
|
}
|
||
|
|
||
|
rule WanaCrypt0r
|
||
|
{
|
||
|
meta:
|
||
|
description = "Detects artifacts from WanaCrypt0r Ransomware"
|
||
|
author = "Kiran Bandla - iDefense"
|
||
|
reference = "https://s3.amazonaws.com/assets.accenture.com/PDF/Accenture-Security-Ransomware.pdf"
|
||
|
strings:
|
||
|
$a = "WanaDecryptor"
|
||
|
$b = "Wana Decrypt0r"
|
||
|
$c = "WanaCrypt0r"
|
||
|
$d = ".wnry"
|
||
|
$e = ".WNRY"
|
||
|
$f = "bitcoin"
|
||
|
$g = "vssadmin"
|
||
|
$h = "torproject"
|
||
|
condition:
|
||
|
4 of them
|
||
|
}
|