08e8d462fe
RED PILL 🔴 💊
230 lines
5.9 KiB
Text
230 lines
5.9 KiB
Text
rule RansomCryptoApp_A
|
|
{
|
|
meta:
|
|
Description = "Ransom.CryptoApp.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$pdb0 = "CryptoApp.pdb" ascii wide
|
|
$pdb1 = "KeepAlive.pdb" ascii wide
|
|
$pdb2 = "SelfDestroy.pdb" ascii wide
|
|
$pdb3 = "CoreDownloader.pdb" ascii wide
|
|
|
|
condition:
|
|
(3 of them) or (any of ($pdb*))
|
|
}
|
|
|
|
rule RansomCryptoWallApp_3
|
|
{
|
|
meta:
|
|
Description = "Ransom.CryptoWall.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$s0 = "spatopayforwin.com" ascii wide
|
|
$s1 = "bythepaywayall.com" ascii wide
|
|
$s2 = "lowallmoneypool.com" ascii wide
|
|
$s3 = "transoptionpay.com" ascii wide
|
|
$s4 = "HELP_DECRYPT" ascii wide nocase
|
|
|
|
$s5 = "speralreaopio.com" ascii wide
|
|
$s6 = "vremlreafpa.com" ascii wide
|
|
$s7 = "wolfwallsreaetpay.com" ascii wide
|
|
$s8 = "askhoreasption.com" ascii wide
|
|
|
|
condition:
|
|
any of ($s*)
|
|
}
|
|
|
|
rule RansomCBTLockerApp
|
|
{
|
|
meta:
|
|
Description = "Ransom.CBTLocker.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$s0 = "Your personal files are encrypted by CTB-Locker" ascii wide
|
|
$s1 = "Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key,generated for this computer" ascii wide
|
|
$s2 = "Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key." ascii wide
|
|
$s3 = "If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program" ascii wide
|
|
|
|
$s6 = "keme132.DLL" ascii wide
|
|
$s7 = "klospad.pdb" ascii wide
|
|
|
|
condition:
|
|
(any of ($s*)) or (3 of them)
|
|
}
|
|
|
|
rule RansomEncryptorRaaSApp
|
|
{
|
|
meta:
|
|
Description = "Ransom.EncryptorRaaS.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
|
|
$s0 = "decryptoraveidf7.onion.to" ascii wide
|
|
$s1 = "encryptor_raas_readme_liesmich.txt" ascii wide
|
|
$s2 = "The files on your computer have been securely encrypted by Encryptor RaaS" ascii wide
|
|
$s3 = "Die Dateien auf Ihrem Computer wurden von Encryptor RaaS sicher verschluesselt" ascii wide
|
|
$s4 = "encryptor3awk6px.onion" ascii wide
|
|
|
|
condition:
|
|
any of ($s*)
|
|
}
|
|
|
|
rule RansomSampleTeslaCryptA
|
|
{
|
|
meta:
|
|
Description = "Ransom.TeslaCrypt.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "HOWTO_RESTORE_FILES.TXT" ascii wide nocase
|
|
$ = "HOWTO_RESTORE_FILES.bmp" ascii wide nocase
|
|
$ = "HOWTO_RESTORE_FILES.HTML" ascii wide nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule RansomSampleTeslaCryptB
|
|
{
|
|
meta:
|
|
Description = "Ransom.TeslaCrypt.B.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "help_recover_instructions" ascii wide nocase
|
|
$ = "help_recover_instructions.TXT" ascii wide nocase
|
|
$ = "help_recover_instructions.png" ascii wide nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule RansomSampleChimeraB
|
|
{
|
|
meta:
|
|
Description = "Ransom.Win32.Chimera.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "YOUR_FILES_ARE_ENCRYPTED.HTML" ascii wide nocase
|
|
$ = "Projects\\Ransom\\bin\\Release\\Core.pdb" ascii wide nocase
|
|
$ = "BM-2cW44Yq9DWbHYnRSfzBLVxvE6WjadchNBt" ascii wide nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule RansomSampleLeChiffre
|
|
{
|
|
meta:
|
|
Description = "Ransom.Win32.LeChiffre.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "LeChiffre" ascii wide nocase
|
|
$ = "decrypt.my.files@gmail.com" ascii wide nocase
|
|
$ = "http://184.107.251.146/sipvoice.php?" ascii wide nocase
|
|
$ = "_secret_code.txt" ascii wide nocase
|
|
$ = "_How to decrypt LeChiffre files.html" ascii wide nocase
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
rule RansomSampleHydraCrypt
|
|
{
|
|
meta:
|
|
Description = "Ransom.Win32.HydraCrypt.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "README_DECRYPT_HYDRA_ID_" ascii wide nocase
|
|
$ = "hydracrypt_ID_" ascii wide nocase
|
|
$ = "HYDRACRYPT" ascii wide nocase
|
|
$ = "ccc=hydra01_" ascii wide nocase
|
|
condition:
|
|
2 of them
|
|
}
|
|
|
|
rule RansomFilecoderA
|
|
{
|
|
meta:
|
|
Description = "Ransom.FileCoder.A.vb"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$ = "Guji36" ascii wide
|
|
$ = "Burnamedoxi" ascii wide
|
|
$ = "S48H1G54JSPSODKMGdfH1FD5G8DSDPSDKMFSSJJPGMCNDHS2FH5" ascii wide
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule RansomSampleLockyCrypt
|
|
{
|
|
meta:
|
|
Description = "Ransom.Win32.Locky.sm"
|
|
ThreatLevel = "5"
|
|
|
|
strings:
|
|
$s1 = ".locky" ascii wide nocase
|
|
$ = "&encrypted=" ascii wide nocase
|
|
$s2 = "_Locky_recover_instructions.txt" ascii wide nocase
|
|
$s3 = "_Locky_recover_instructions.bmp" ascii wide nocase
|
|
$ = "94.242.57.45" ascii wide nocase
|
|
$ = "46.4.239.76" ascii wide nocase
|
|
$s6 = "Software\\Locky" ascii wide nocase
|
|
$ = "vssadmin.exe Delete Shadows" ascii wide nocase
|
|
$ = "Locky" ascii wide nocase
|
|
|
|
$o1 = { 45 b8 99 f7 f9 0f af 45 b8 89 45 b8 } // address=0x4144a7
|
|
$o2 = { 2b 0a 0f af 4d f8 89 4d f8 c7 45 } // address=0x413863
|
|
|
|
condition:
|
|
(3 of them) or (any of ($s*)) or (all of ($o*))
|
|
}
|
|
|
|
rule RansomLocky
|
|
{
|
|
meta:
|
|
Description = "Ransom.Locky.ab"
|
|
ThreatLevel = "5"
|
|
strings:
|
|
$mz = { 4d 5a }
|
|
|
|
$inst1 = "_HELP_instructions.bmp" ascii wide
|
|
$inst2 = "_HELP_instructions.html" ascii wide
|
|
$inst3 = "_HELP_instructions.txt" ascii wide
|
|
$inst4 = "_Locky_recover_instructions.bmp" ascii wide
|
|
$inst5 = "_Locky_recover_instructions.txt" ascii wide
|
|
$deleteShadows = "vssadmin.exe" ascii wide // universal Ransom detect :)
|
|
|
|
$cyrptEP1 = {e8 95 23 ff ff 86 c8 86 ea e9 8d 23 ff ff 86 f4 e9 84 23 ff ff 86 c5} // EP paked locy
|
|
$cyrptEP2 = {55 8b ec eb 68 eb 66 eb 64 6a 00 6a 00 6a 00 6a 00 6a 00} // EP packed locy 2
|
|
|
|
condition:
|
|
( $mz at 0 ) and
|
|
(
|
|
$cyrptEP1 at entrypoint or
|
|
$cyrptEP2 at entrypoint or
|
|
(any of ($inst*)) or
|
|
$deleteShadows
|
|
)
|
|
}
|
|
|
|
rule RansomImportDetect
|
|
{
|
|
meta:
|
|
Description = "Ransom.Gen.ab"
|
|
ThreatLevel = "3"
|
|
condition:
|
|
(pe.imports("Kernel32.dll", "FindFirstFileW") or pe.imports("Kernel32.dll", "FindFirstFileA")) and
|
|
(pe.imports("Kernel32.dll", "FindNextFileW") or pe.imports("Kernel32.dll", "FindNextFileA")) and
|
|
(pe.imports("Advapi32.dll", "CryptAcquireContextW") or pe.imports("Advapi32.dll", "CryptAcquireContextA")) and
|
|
pe.imports("Advapi32.dll", "CryptEncrypt") and
|
|
pe.imports("Advapi32.dll", "CryptGenRandom")
|
|
}
|
|
|