Sneed-Reactivity/yara-mikesxrs/blueliv/WannaCryptor.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

118 lines
2 KiB
Text

rule wannacry_static_ransom : wannacry_static_ransom {
meta:
description = "Detects WannaCryptor spreaded during 2017-May-12th campaign and variants"
author = "Blueliv"
reference = "https://blueliv.com/research/wannacrypt-malware-analysis/"
date = "2017-05-15"
strings:
$mutex01 = "Global\\MsWinZonesCacheCounterMutexA" ascii
$lang01 = "m_bulgarian.wnr" ascii
$lang02 = "m_vietnamese.wnry" ascii
$startarg01 = "StartTask" ascii
$startarg02 = "TaskStart" ascii
$startarg03 = "StartSchedule" ascii
$wcry01 = "WanaCrypt0r" ascii wide
$wcry02 = "WANACRY" ascii
$wcry03 = "WANNACRY" ascii
$wcry04 = "WNCRYT" ascii wide
$forig01 = ".wnry\x00" ascii
$fvar01 = ".wry\x00" ascii
condition:
($mutex01 or any of ($lang*)) and ( $forig01 or all of ($fvar*) ) and any of ($wcry*) and any of ($startarg*)
}
rule wannacry_memory_ransom : wannacry_memory_ransom {
meta:
description = "Detects WannaCryptor spreaded during 2017-May-12th campaign and variants in memory"
author = "Blueliv"
reference = "https://blueliv.com/research/wannacrypt-malware-analysis/"
date = "2017-05-15"
strings:
$s01 = "%08X.eky"
$s02 = "%08X.pky"
$s03 = "%08X.res"
$s04 = "%08X.dky"
$s05 = "@WanaDecryptor@.exe"
condition:
all of them
}
rule worm_ms17_010 : worm_ms17_010 {
meta:
description = "Detects Worm used during 2017-May-12th WannaCry campaign, which is based on ETERNALBLUE"
author = "Blueliv"
reference = "https://blueliv.com/research/wannacrypt-malware-analysis/"
date = "2017-05-15"
strings:
$s01 = "__TREEID__PLACEHOLDER__" ascii
$s02 = "__USERID__PLACEHOLDER__@" ascii
$s03 = "SMB3"
$s05 = "SMBu"
$s06 = "SMBs"
$s07 = "SMBr"
$s08 = "%s -m security" ascii
$s09 = "%d.%d.%d.%d"
$payloadwin2000_2195 =
"\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00"
$payload2000_50 =
"\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00\x2e\x00\x30\x00\x00\x00"
condition:
all of them
}