Sneed-Reactivity/yara-mikesxrs/kaspersky/LazarusWannaCry.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

39 lines
1.2 KiB
Text

rule lazaruswannacry {
meta:
description = “Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta”
date = “2017-05-15”
reference = “https://twitter.com/neelmehta/status/864164081116225536”
reference2 = "https://securelist.com/wannacry-and-lazarus-group-the-missing-link/78431/"
author = “Kaspersky Lab”
version = “1.0”
hash = “9c7c7149387a1c79679a87dd1ba755bc”
hash = “ac21c8ad899727137c4b94458d7aa8d8”
strings:
$a1={
51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75
04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01
46 56 E8
}
$a2={
03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00
10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00
30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00
38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00
44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00
68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00
FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0
08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0
10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0
2B C0 2C C0 FF FE
}
condition:
((uint16(0) == 0x5A4D)) and (filesize < 15000000) and
all of them
}