08e8d462fe
RED PILL 🔴 💊
66 lines
No EOL
1.4 KiB
Text
66 lines
No EOL
1.4 KiB
Text
// yara rules that can cross boundaries between the various sets/types... more general detection signatures
|
|
import "pe"
|
|
|
|
rule wiper_unique_strings
|
|
{
|
|
meta:
|
|
copyright = "2015 Novetta Solutions"
|
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
|
company = "novetta"
|
|
|
|
strings:
|
|
$a = "C!@I#%VJSIEOTQWPVz034vuA"
|
|
$b = "BAISEO%$2fas9vQsfvx%$"
|
|
$c = "1.2.7.f-hanba-win64-v1"
|
|
$d = "md %s© %s\\*.* %s"
|
|
$e = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\""
|
|
$f = "Ge.tVol. .umeIn..for mati.onW"
|
|
|
|
condition:
|
|
$a or $b or $c or $d or $e or $f
|
|
}
|
|
|
|
|
|
rule wiper_encoded_strings
|
|
{
|
|
meta:
|
|
copyright = "2015 Novetta Solutions"
|
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
|
company = "novetta"
|
|
|
|
strings:
|
|
$scr = {89 D4 C4 D5 00 00 00}
|
|
$explorer = {E2 DF D7 CB C8 D5 C2 D5 89 C2 DF C2 00 00 00 }
|
|
$kernel32 = {CC C2 D5 C9 C2 CB 94 95 89 C3 CB CB 00 00 }
|
|
|
|
condition:
|
|
$scr or $explorer or $kernel32
|
|
}
|
|
|
|
|
|
rule createP2P
|
|
{
|
|
meta:
|
|
copyright = "2015 Novetta Solutions"
|
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
|
|
|
strings:
|
|
$ = "CreatP2P Thread" wide
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule firewallOpener
|
|
{
|
|
meta:
|
|
copyright = "2015 Novetta Solutions"
|
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
|
|
|
strings:
|
|
$ = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\""
|
|
|
|
condition:
|
|
any of them
|
|
|
|
} |