22 lines
744 B
Text
22 lines
744 B
Text
|
rule RANSOMWARE_RAA {
|
||
|
|
||
|
meta:
|
||
|
description = "Identifes samples containing JS dropper similar to RAA ransomware."
|
||
|
author = "nshadov"
|
||
|
reference = "https://malwr.com/analysis/YmE4MDNlMzk2MjY3NDdlYWE1NzFiOTNlYzVhZTlkM2Y/"
|
||
|
date = "2016-06-15"
|
||
|
hash = "535494aa6ce3ccef7346b548da5061a9"
|
||
|
far = "unknown"
|
||
|
frr = "unknown"
|
||
|
|
||
|
strings:
|
||
|
$sp0 = "CryptoJS.AES.decrypt" fullword ascii
|
||
|
$sp1 = "RAA-SEP" fullword ascii
|
||
|
$sb0 = "ActiveXObject(\"Scriptlet.TypeLib\")" fullword ascii
|
||
|
$sb1 = "ActiveXObject(\"Scripting.FileSystemObject\")" fullword ascii
|
||
|
$sb2 = "WScript.CreateObject(\"WScript.Shell\");" fullword ascii
|
||
|
|
||
|
condition:
|
||
|
filesize > 10KB and filesize < 800KB and ( (all of ($sp*)) or ( (all of ($sb*)) and 1 of ($sp*) ) )
|
||
|
|
||
|
}
|