Sneed-Reactivity/yara-mikesxrs/g00dv1n/Trojan.Ransom.yar

56 lines
1.6 KiB
Text
Raw Normal View History

rule TrojanRansomRevetonSample
{
meta:
Description = "Trojan.Reveton.sm"
ThreatLevel = "5"
strings:
$a = "JimmMonsterNew" ascii wide
$ = "regedit.exe" ascii wide
$ = "rundll32.exe" ascii wide
$ = "msconfig.lnk" ascii wide
$ = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" ascii wide
$ = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" ascii wide
$ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ctfmon.exe" ascii wide
condition:
(3 of them) or $a
}
rule TrojanWin32UrausySampleA
{
meta:
Description = "Trojan.Urausy.sm"
ThreatLevel = "5"
strings:
$a = { 55 89 E5 53 56 57 83 0D ?? ?? ?? ?? 01 31 C0 5F 5E 5B C9 C2 04 00 }
$b = { FF 15 ?? ?? ?? ?? 09 C0 0F 84 ?? ?? ?? ?? 8B 75 ?? 89 C3 6A 01 6A FF 6A 05 56 E8 }
condition:
$a and $b
}
rule TrojanRansomWin32TobfySample
{
meta:
Description = "Trojan.Tobfy.sm"
ThreatLevel = "5"
strings:
$ = "http://62.109.28.231/gtx3d16bv3/upload/img.jpg" ascii wide
$ = "http://62.109.28.231/gtx3d16bv3/upload/mp3.mp3" ascii wide
$ = "Pay MoneyPak" ascii wide
$ = "You have 72 hours to pay the fine!" ascii wide
$ = "Wait! Your request is processed within 24 hours." ascii wide
$a = "G:\\WORK\\WORK_PECEPB\\Work_2012 Private\\Project L-0-ck_ER\\NEW Extern\\inject\\injc\\Release\\injc.pdb" ascii wide
$b = "G:\\WORK\\WORK_PECEPB\\Work_2012 Private\\Project L-0-ck_ER\\Version V 1.0\\V1.0\\Release\\te.pdb" ascii wide
$ = "picture.php?pin=" ascii wide
$ = "s\\sound.mp3" ascii wide
$ = "s\\1.jpg" ascii wide
$ = "s\\1.bmp" ascii wide
$ = "getunlock.php" ascii wide
condition:
(4 of them) or $a or $b
}