/
crime_wannacry.yar
147 lines (136 loc) · 5.97 KB
/
crime_wannacry.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-05-12
Identifier: WannaCry
Reference: https://goo.gl/HG2j5T
*/
/* Rule Set ----------------------------------------------------------------- */
rule WannaCry_Ransomware {
meta:
description = "Detects WannaCry Ransomware"
author = "Florian Roth (Nextron Systems) (with the help of binar.ly)"
reference = "https://goo.gl/HG2j5T"
date = "2017-05-12"
hash1 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
id = "2e46b4db-8c94-53ed-ae27-31dd37b04940"
strings:
$x1 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii
$x2 = "taskdl.exe" fullword ascii
$x3 = "tasksche.exe" fullword ascii
$x4 = "Global\\MsWinZonesCacheCounterMutexA" fullword ascii
$x5 = "WNcry@2ol7" fullword ascii
$x6 = "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" ascii
$x7 = "mssecsvc.exe" fullword ascii
$x8 = "C:\\%s\\qeriuwjhrf" fullword ascii
$x9 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii
$s1 = "C:\\%s\\%s" fullword ascii
$s2 = "<!-- Windows 10 --> " fullword ascii
$s3 = "cmd.exe /c \"%s\"" fullword ascii
$s4 = "msg/m_portuguese.wnry" fullword ascii
$s5 = "\\\\192.168.56.20\\IPC$" fullword wide
$s6 = "\\\\172.16.99.5\\IPC$" fullword wide
$op1 = { 10 ac 72 0d 3d ff ff 1f ac 77 06 b8 01 00 00 00 }
$op2 = { 44 24 64 8a c6 44 24 65 0e c6 44 24 66 80 c6 44 }
$op3 = { 18 df 6c 24 14 dc 64 24 2c dc 6c 24 5c dc 15 88 }
$op4 = { 09 ff 76 30 50 ff 56 2c 59 59 47 3b 7e 0c 7c }
$op5 = { c1 ea 1d c1 ee 1e 83 e2 01 83 e6 01 8d 14 56 }
$op6 = { 8d 48 ff f7 d1 8d 44 10 ff 23 f1 23 c1 }
condition:
uint16(0) == 0x5a4d and filesize < 10000KB and ( 1 of ($x*) and 1 of ($s*) or 3 of ($op*) )
}
rule WannaCry_Ransomware_Gen {
meta:
description = "Detects WannaCry Ransomware"
author = "Florian Roth (Nextron Systems) (based on rule by US CERT)"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-132A"
date = "2017-05-12"
hash1 = "9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05"
hash2 = "8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df"
hash3 = "4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359"
id = "d28d3d76-9c24-5476-9a0c-936c17477d6a"
strings:
$s1 = "__TREEID__PLACEHOLDER__" ascii
$s2 = "__USERID__PLACEHOLDER__" ascii
$s3 = "Windows for Workgroups 3.1a" fullword ascii
$s4 = "PC NETWORK PROGRAM 1.0" fullword ascii
$s5 = "LANMAN1.0" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and all of them
}
rule WannCry_m_vbs {
meta:
description = "Detects WannaCry Ransomware VBS"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/HG2j5T"
date = "2017-05-12"
hash1 = "51432d3196d9b78bdc9867a77d601caffd4adaa66dcac944a5ba0b3112bbea3b"
id = "a8f13bd2-984d-5c8c-ac53-7d442e222850"
strings:
$x1 = ".TargetPath = \"C:\\@" ascii
$x2 = ".CreateShortcut(\"C:\\@" ascii
$s3 = " = WScript.CreateObject(\"WScript.Shell\")" ascii
condition:
( uint16(0) == 0x4553 and filesize < 1KB and all of them )
}
rule WannCry_BAT {
meta:
description = "Detects WannaCry Ransomware BATCH File"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/HG2j5T"
date = "2017-05-12"
hash1 = "f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077"
id = "0929f0de-28ac-5534-a6fd-7b131abda011"
strings:
$s1 = "@.exe\">> m.vbs" ascii
$s2 = "cscript.exe //nologo m.vbs" fullword ascii
$s3 = "echo SET ow = WScript.CreateObject(\"WScript.Shell\")> " ascii
$s4 = "echo om.Save>> m.vbs" fullword ascii
condition:
( uint16(0) == 0x6540 and filesize < 1KB and 1 of them )
}
rule WannaCry_RansomNote {
meta:
description = "Detects WannaCry Ransomware Note"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/HG2j5T"
date = "2017-05-12"
hash1 = "4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e"
id = "65ce8faf-0981-5382-bc15-f094ccaa9f54"
strings:
$s1 = "A: Don't worry about decryption." fullword ascii
$s2 = "Q: What's wrong with my files?" fullword ascii
condition:
( uint16(0) == 0x3a51 and filesize < 2KB and all of them )
}
/* Kaspersky Rule */
rule APT_lazaruswannacry {
meta:
description = "Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta"
date = "2017-05-15"
reference = "https://twitter.com/neelmehta/status/864164081116225536"
author = "Costin G. Raiu, Kaspersky Lab"
version = "1.0"
hash = "9c7c7149387a1c79679a87dd1ba755bc"
hash = "ac21c8ad899727137c4b94458d7aa8d8"
id = "e9dd9750-2366-503a-a879-972dbead6bf3"
strings:
$a1 = { 51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75
04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01 46
56 E8 }
$a2 = { 03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00
10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00
30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00
38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00
44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00
68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00
FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0
08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0
10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0
2B C0 2C C0 FF FE }
condition:
uint16(0) == 0x5A4D and filesize < 15000000 and all of them
}