Sneed-Reactivity/yara-Neo23x0/crime_ransom_germanwiper.yar

28 lines
1.2 KiB
Text
Raw Normal View History

rule MAL_Ransomware_GermanWiper {
meta:
description = "Detects RansomWare GermanWiper in Memory or in unpacked state"
author = "Frank Boldewin (@r3c0nst), modified by Florian Roth"
reference = "https://twitter.com/r3c0nst/status/1158326526766657538"
date = "2019-08-05"
hash_packed = "41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c"
hash_unpacked = "708967cad421bb2396017bdd10a42e6799da27e29264f4b5fb095c0e3503e447"
id = "e7587691-f69a-53e7-bab2-875179fbfa19"
strings:
$x_Mutex1 = "HSDFSD-HFSD-3241-91E7-ASDGSDGHH" ascii
$x_Mutex2 = "cFgxTERNWEVhM2V" ascii
// code patterns for process kills
$PurgeCode = { 6a 00 8b 47 08 50 6a 00 6a 01 e8 ?? ?? ?? ??
50 e8 ?? ?? ?? ?? 8b f0 8b d7 8b c3 e8 }
$ProcessKill1 = "sqbcoreservice.exe" ascii
$ProcessKill2 = "isqlplussvc.exe" ascii
$KillShadowCopies = "vssadmin.exe delete shadows" ascii
$Domain1 = "cdnjs.cloudflare.com" ascii
$Domain2 = "expandingdelegation.top" ascii
$RansomNote = "Entschluesselungs_Anleitung.html" ascii
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and
( 1 of ($x*) or 3 of them )
}