112 lines
2.3 KiB
Text
112 lines
2.3 KiB
Text
|
/*
|
||
|
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
|
||
|
|
||
|
*/
|
||
|
|
||
|
import "cuckoo"
|
||
|
|
||
|
rule ransomware : svpeng
|
||
|
{
|
||
|
meta:
|
||
|
author = "Fernando Denis https://twitter.com/fdrg21"
|
||
|
reference = "https://koodous.com/"
|
||
|
description = "Ransomware"
|
||
|
in_the_wild = true
|
||
|
|
||
|
strings:
|
||
|
$a = {6e 64 20 79 6f 75 72 27 73 20 64 65 76 69 63 65 20 77 69 6c 6c 20 72 65 62 6f 6f 74 20 61 6e 64}
|
||
|
$b = "ADD_DEVICE_ADMI"
|
||
|
|
||
|
condition:
|
||
|
$a and $b
|
||
|
}
|
||
|
|
||
|
|
||
|
rule Ransomware : banker
|
||
|
{
|
||
|
meta:
|
||
|
author = "Fernando Denis https://twitter.com/fdrg21"
|
||
|
reference = "https://koodous.com/"
|
||
|
description = "Ransomware Test 2"
|
||
|
thread_level = 3
|
||
|
in_the_wild = true
|
||
|
|
||
|
strings:
|
||
|
|
||
|
$strings_a = "!2,.B99^GGD&R-"
|
||
|
$strings_b = "22922222222222222222Q^SAAWA"
|
||
|
$strings_c = "t2222222222229222Q^SAAWA"
|
||
|
|
||
|
|
||
|
|
||
|
condition:
|
||
|
any of ($strings_*)
|
||
|
}
|
||
|
|
||
|
rule koler_domains
|
||
|
{
|
||
|
meta:
|
||
|
author = "https://twitter.com/jsmesa"
|
||
|
reference = "https://koodous.com/"
|
||
|
description = "Old Koler.A domains examples"
|
||
|
sample = "2e1ca3a9f46748e0e4aebdea1afe84f1015e3e7ce667a91e4cfabd0db8557cbf"
|
||
|
|
||
|
condition:
|
||
|
cuckoo.network.dns_lookup(/police-scan-mobile.com/) or
|
||
|
cuckoo.network.dns_lookup(/police-secure-mobile.com/) or
|
||
|
cuckoo.network.dns_lookup(/mobile-policeblock.com/) or
|
||
|
cuckoo.network.dns_lookup(/police-strong-mobile.com/) or
|
||
|
cuckoo.network.dns_lookup(/video-porno-gratuit.eu/) or
|
||
|
cuckoo.network.dns_lookup(/video-sartex.us/) or
|
||
|
cuckoo.network.dns_lookup(/policemobile.biz/)
|
||
|
}
|
||
|
|
||
|
rule koler_builds
|
||
|
{
|
||
|
meta:
|
||
|
author = "https://twitter.com/jsmesa"
|
||
|
reference = "https://koodous.com/"
|
||
|
description = "Koler.A builds"
|
||
|
|
||
|
strings:
|
||
|
$0 = "buildid"
|
||
|
$a = "DCEF055EEE3F76CABB27B3BD7233F6E3"
|
||
|
$b = "C143D55D996634D1B761709372042474"
|
||
|
|
||
|
condition:
|
||
|
$0 and ($a or $b)
|
||
|
|
||
|
}
|
||
|
|
||
|
rule koler_class
|
||
|
{
|
||
|
meta:
|
||
|
author = "https://twitter.com/jsmesa"
|
||
|
reference = "https://koodous.com/"
|
||
|
description = "Koler.A class"
|
||
|
|
||
|
strings:
|
||
|
$0 = "FIND_VALID_DOMAIN"
|
||
|
$a = "6589y459"
|
||
|
|
||
|
condition:
|
||
|
$0 and $a
|
||
|
|
||
|
}
|
||
|
|
||
|
rule koler_D
|
||
|
{
|
||
|
meta:
|
||
|
author = "https://twitter.com/jsmesa"
|
||
|
reference = "https://koodous.com/"
|
||
|
description = "Koler.D class"
|
||
|
|
||
|
strings:
|
||
|
$0 = "ZActivity"
|
||
|
$a = "Lcom/android/zics/ZRuntimeInterface"
|
||
|
|
||
|
condition:
|
||
|
($0 and $a)
|
||
|
|
||
|
}
|