Sneed-Reactivity/yara-mikesxrs/nshadov/RANSOMWARE_RAA.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

22 lines
No EOL
744 B
Text

rule RANSOMWARE_RAA {
meta:
description = "Identifes samples containing JS dropper similar to RAA ransomware."
author = "nshadov"
reference = "https://malwr.com/analysis/YmE4MDNlMzk2MjY3NDdlYWE1NzFiOTNlYzVhZTlkM2Y/"
date = "2016-06-15"
hash = "535494aa6ce3ccef7346b548da5061a9"
far = "unknown"
frr = "unknown"
strings:
$sp0 = "CryptoJS.AES.decrypt" fullword ascii
$sp1 = "RAA-SEP" fullword ascii
$sb0 = "ActiveXObject(\"Scriptlet.TypeLib\")" fullword ascii
$sb1 = "ActiveXObject(\"Scripting.FileSystemObject\")" fullword ascii
$sb2 = "WScript.CreateObject(\"WScript.Shell\");" fullword ascii
condition:
filesize > 10KB and filesize < 800KB and ( (all of ($sp*)) or ( (all of ($sb*)) and 1 of ($sp*) ) )
}