Sneed-Reactivity/yara-mikesxrs/McAfee/BadRabbit_Ransomware.yar

40 lines
2 KiB
Text
Raw Normal View History

import "pe"
rule sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 {
meta:
description = "Bad Rabbit Ransomware"
author = "Christiaan Beek"
reference = "BadRabbit"
date = "2017-10-24"
hash1 = "8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93"
source = "https://pastebin.com/Y7pJv3tK"
Source2 = "https://twitter.com/ChristiaanBeek/status/922858684623056898"
strings:
$x1 = "schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR \"%ws\" /ST %02d:%02d:00" fullword wide
$x2 = "need to do is submit the payment and get the decryption password." fullword ascii
$s3 = "If you have already got the password, please enter it below." fullword ascii
$s4 = "dispci.exe" fullword wide
$s5 = "\\\\.\\GLOBALROOT\\ArcName\\multi(0)disk(0)rdisk(0)partition(1)" fullword wide
$s6 = "Run DECRYPT app at your desktop after system boot" fullword ascii
$s7 = "Enter password#1: " fullword wide
$s8 = "Enter password#2: " fullword wide
$s9 = "C:\\Windows\\cscc.dat" fullword wide
$s10 = "schtasks /Delete /F /TN %ws" fullword wide
$s11 = "Password#1: " fullword ascii
$s12 = "\\AppData" fullword wide
$s13 = "Readme.txt" fullword wide
$s14 = "Disk decryption completed" fullword wide
$s15 = "Files decryption completed" fullword wide
$s16 = "http://diskcryptor.net/" fullword wide
$s17 = "Your personal installation key#1:" fullword ascii
$s18 = ".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg." wide
$s19 = "Disable your anti-virus and anti-malware programs" fullword wide
$s20 = "bootable partition not mounted" fullword ascii
condition:
( uint16(0) == 0x5a4d and
filesize < 400KB and
pe.imphash() == "94f57453c539227031b918edd52fc7f1" and
( 1 of ($x*) or 4 of them )
) or ( all of them )
}