08e8d462fe
RED PILL 🔴 💊
27 lines
989 B
Text
27 lines
989 B
Text
rule Hermes2_1 {
|
|
meta:
|
|
description = "Detects Hermes Ransomware as used in BAE report on FEIB"
|
|
date = "2017/10/11"
|
|
author = "BAE"
|
|
reference = "https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html"
|
|
hash = "b27881f59c8d8cc529fa80a58709db36"
|
|
id = "13397a43-04e1-5cc1-9260-9895736013f3"
|
|
strings:
|
|
//in both version 2.1 and sample in Feb
|
|
$s1 = "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\\"
|
|
$s2 = "0419"
|
|
$s3 = "0422"
|
|
$s4 = "0423"
|
|
//in version 2.1 only
|
|
$S1 = "HERMES"
|
|
$S2 = "vssadminn"
|
|
$S3 = "finish work"
|
|
$S4 = "testlib.dll"
|
|
$S5 = "shadowstorageiet"
|
|
//maybe unique in the file
|
|
$u1 = "ALKnvfoi4tbmiom3t40iomfr0i3t4jmvri3tb4mvi3btv3rgt4t777"
|
|
$u2 = "HERMES 2.1 TEST BUILD, press ok"
|
|
$u3 = "hnKwtMcOadHwnXutKHqPvpgfysFXfAFTcaDHNdCnktA" //RSA Key part
|
|
condition:
|
|
uint16(0) == 0x5a4d and all of ($s*) and 3 of ($S*) and 1 of ($u*)
|
|
}
|