28 lines
446 B
Text
28 lines
446 B
Text
|
rule crime_ransomware_windows_GPGQwerty: crime_ransomware_windows_GPGQwerty
|
|||
|
|
|||
|
{
|
|||
|
|
|||
|
meta:
|
|||
|
|
|||
|
author = "McAfee Labs"
|
|||
|
|
|||
|
description = "Detect GPGQwerty ransomware"
|
|||
|
|
|||
|
reference = "https://securingtomorrow.mcafee.com/mcafee-labs/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard/"
|
|||
|
|
|||
|
strings:
|
|||
|
|
|||
|
$a = "gpg.exe –recipient qwerty -o"
|
|||
|
|
|||
|
$b = "%s%s.%d.qwerty"
|
|||
|
|
|||
|
$c = "del /Q /F /S %s$recycle.bin"
|
|||
|
|
|||
|
$d = "cryz1@protonmail.com"
|
|||
|
|
|||
|
condition:
|
|||
|
|
|||
|
all of them
|
|||
|
|
|||
|
}
|